diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 224abb8ddd..5d581c9574 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -117,6 +117,22 @@ "moniker_groups": [], "version": 0 }, + { + "docset_name": "known-issues", + "build_source_folder": "windows/known-issues", + "build_output_subfolder": "known-issues", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, { "docset_name": "mdop-VSTS", "build_source_folder": "mdop", @@ -524,6 +540,10 @@ "master": [ "Publish", "Pdf" + ], + "atp-api-danm": [ + "Publish", + "Pdf" ] }, "need_generate_pdf_url_template": true, diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 97405d2d24..6568445c8a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,6 +6,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows", +"redirect_document_id": true +}, +{ "source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", "redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility", "redirect_document_id": true @@ -5421,6 +5426,11 @@ "redirect_document_id": true }, { +"source_path": "devices/surface/manage-surface-dock-firmware-updates.md", +"redirect_url": "devices/surface/update", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", "redirect_url": "/surface-hub/finishing-your-surface-hub-meeting", "redirect_document_id": true @@ -6736,6 +6746,11 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/multi-app-kiosk-troubleshoot.md", +"redirect_url": "/windows/configuration/kiosk-troubleshoot", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true @@ -13884,6 +13899,16 @@ "source_path": "education/windows/windows-automatic-redeployment.md", "redirect_url": "/education/windows/autopilot-reset", "redirect_document_id": true +}, +{ +"source_path": "windows/deployment/windows-autopilot/windows-10-autopilot.md", +"redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot", +"redirect_document_id": true +}, +{ +"source_path": "windows/privacy/manage-windows-endpoints.md", +"redirect_url": "/windows/privacy/manage-windows-1809-endpoints", +"redirect_document_id": true } ] } diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index b3be0aa999..42532b3fb2 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 34e8b2d487..323ba3e4bd 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 5e6c740970..b314f85b52 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,8 +1,9 @@ # [Microsoft HoloLens](index.md) ## [What's new in Microsoft HoloLens](hololens-whats-new.md) -## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) +## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [Set up HoloLens](hololens-setup.md) +## [Install localized version of HoloLens](hololens-install-localized.md) ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 8f2862fc81..1fc820a243 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -16,6 +16,10 @@ ms.date: 11/05/2018 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## Windows 10 Holographic for Business, version 1809 + +The topics in this library have been updated for Windows 10 Holographic for Business, version 1809. + ## November 2018 New or changed topic | Description @@ -37,7 +41,7 @@ New or changed topic | Description New or changed topic | Description --- | --- -[Insider preview for Microsoft HoloLens](hololens-insider.md) | New +Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809) ## June 2018 diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 8210e1f2fb..8a223c0745 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -8,12 +8,12 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 12/20/2017 +ms.date: 01/26/2019 --- # Enable encryption for HoloLens -You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery. +You can enable [BitLocker device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery. @@ -21,40 +21,21 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/ You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP. -In the following steps, Microsoft Intune is used as the example. For other MDM tools, see your MDM provider's documentation for instructions. +[See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business) -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryption, use the following configuration: -2. Use **Search** or go to **More services** to open the Intune blade. - -3. Go to **Device configuration > Profiles**, and select **Create profile**. - - ![Intune create profile option](images/encrypt-create-profile.png) - -4. Enter a name of your choice, select **Windows 10 and later** for the platform, select **Custom** for the profile type, and then select **Add**. - - ![Intune custom setting screen](images/encrypt-custom.png) - -5. In **Add Row OMA-URI Settings**, enter or select the following information: - - **Name**: a name of your choice - - **Description**: optional - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption` - - **Data type**: integer - - **Value**: `1` - - ![Intune OMA-URI settings for encryption](images/encrypt-oma-uri.png) - -6. Select **OK**, select **OK**, and then select **Create**. The blade for the profile opens automatically. - -7. Select **Assignments** to assign the profile to a group. After you configure the assignment, select **Save**. - -![Intune profile assignment screen](images/encrypt-assign.png) +- **Name**: a name of your choice +- **Description**: optional +- **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption` +- **Data type**: integer +- **Value**: `1` ## Enable device encryption using a provisioning package Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device. -### Create a provisioning package that upgrades the Windows Holographic edition +### Create a provisioning package that upgrades the Windows Holographic edition and enables encryption 1. [Create a provisioning package for HoloLens.](hololens-provisioning.md) @@ -119,6 +100,6 @@ Provisioning packages are files created by the Windows Configuration Designer to Encryption is silent on HoloLens. To verify the device encryption status: -- On HoloLens, go to **Settings** > **System** > **About**. **Bitlocker** is **enabled** if the device is encrypted. +- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. -![About screen showing Bitlocker enabled](images/about-encryption.png) +![About screen showing BitLocker enabled](images/about-encryption.png) diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index c11b07759d..3a90c8fe68 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -37,77 +37,11 @@ To opt out of Insider builds: - On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**. - Follow the instructions to opt out your device. -## New features for HoloLens - -The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018). -### For everyone - - -Feature | Details | Instructions ---- | --- | --- -Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**. -Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to. -New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). -HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app. -Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level. -New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. -Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with. -Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. - -### For developers - -- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word. -- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content. - -### For commercial customers - - -Feature | Details | Instructions ---- | --- | --- -Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:

1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.

On your HoloLens:

1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package. -Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:

1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).

**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.

Create provisioning package with WCD:

1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.

Apply the package to HoloLens:

1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.

Enable assigned access on HoloLens:

1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile. -PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. -Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  -Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number. -Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename). - -### For international customers - - -Feature | Details | Instructions ---- | --- | --- -Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below. - -#### Installing the Chinese or Japanese versions of the Insider builds - -In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). - ->[!IMPORTANT] ->Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. - -1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview. -2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). -3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp). -4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. -5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  -6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. -7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) -8. Select **Install software** and follow the instructions to finish installing. -9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. -10. After you complete setup, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. - - - - -## Note for language support - -- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. -- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English). ## Note for developers -You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. +You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. ## Provide feedback and report issues @@ -116,75 +50,3 @@ Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reali >[!NOTE] >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). - -## AssignedAccessHoloLensConfiguration_AzureADGroup.xml - -Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers). - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - -``` - diff --git a/devices/hololens/hololens-install-localized.md b/devices/hololens/hololens-install-localized.md new file mode 100644 index 0000000000..8e5a72150a --- /dev/null +++ b/devices/hololens/hololens-install-localized.md @@ -0,0 +1,35 @@ +--- +title: Install localized versions of HoloLens (HoloLens) +description: Learn how to install the Chinese or Japanese versions of HoloLens +ms.prod: hololens +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 11/13/2018 +--- + +# Install localized versions of HoloLens + +In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). + +>[!IMPORTANT] +>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. + + +2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololensdownload-ch) or [Japanese](https://aka.ms/hololensdownload-jp). +4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. +5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  +6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. +7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) +8. Select **Install software** and follow the instructions to finish installing. +9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. + + +## Note for language support + +- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 8f05c5e15c..c888927596 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 08/14/2018 +ms.date: 11/13/2018 --- # Set up HoloLens in kiosk mode @@ -20,7 +20,17 @@ When HoloLens is configured as a multi-app kiosk, only the allowed apps are avai Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. -The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. +The following table lists the device capabilities in the different kiosk modes. + +Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast +--- | --- | --- | --- | --- +Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) +Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)

Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.

Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration. + +>[!NOTE] +>Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. + +The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. >[!WARNING] >The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index c1a90edadb..3e488d4a85 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 11/13/2018 --- # Configure HoloLens using a provisioning package @@ -49,8 +49,7 @@ Provisioning packages can include management instructions and policies, customiz > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. -> ->![open advanced editor](images/icd-simple-edit.png) + ### Create the provisioning package @@ -73,12 +72,12 @@ Use the Windows Configuration Designer tool to create a provisioning package. - - + + - - + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Browse to and select the enterprise license file to upgrade the HoloLens edition.

You can also toggle **Yes** or **No** to hide parts of the first experience.

Select a region and timezone in which the device will be used. 		![Select enterprise licence file and configure OOBE](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-desktop.png)
![step one](images/one.png)![set up device](images/set-up-device.png)

Browse to and select the enterprise license file to upgrade the HoloLens edition.

You can also toggle **Yes** or **No** to hide parts of the first experience.

To set up the device without the need to connect to a Wi-Fi network, toggle **Skip Wi-Fi setup** to **On**.

Select a region and timezone in which the device will be used. 		![Select enterprise licence file and configure OOBE](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-desktop.png)
![step three](images/three.png) ![account management](images/account-management.png)

You can enroll the device in Azure Active Directory, or create a local account on the device

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local account, select that option and enter a user name and password.

**Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Azure AD or create a local account](images/account-management-details.png)
![step four](images/four.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)		![Enable Developer Mode](images/developer-setup-details.png)
![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.		![Protect your package](images/finish-details.png)
![step five](images/five.png) ![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)		![Enable Developer Mode](images/developer-setup-details.png)
![step six](images/six.png) ![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.		![Protect your package](images/finish-details.png)
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. @@ -137,7 +136,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa 10. When the build completes, click **Finish**. -## Apply a provisioning package to HoloLens +## Apply a provisioning package to HoloLens during setup 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). @@ -156,6 +155,23 @@ After you're done, click **Create**. It only takes a few seconds. When the packa >[!NOTE] >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +## Apply a provisioning package to HoloLens after setup + +>[!NOTE] +>Windows 10, version 1809 only + +On your PC: +1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). +2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. +3. Drag and drop the provisioning package to the Documents folder on the HoloLens. + +On your HoloLens: +1. Go to **Settings > Accounts > Access work or school**. +2. In **Related Settings**, select **Add or remove a provisioning package**. +3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**. + +After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package. + ## What you can configure Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index e10552862b..9ea1e9de34 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -14,36 +14,30 @@ ms.date: 04/30/2018 >**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).** -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). - >[!NOTE] >HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates. +For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business). -Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management. +To configure how and when updates are applied, use the following policies: +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) -The Update policies supported for HoloLens are: +To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) -- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) -- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) +In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)) - - -Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead: +For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead of Windows Update: - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS. - - - ## Related topics -- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) \ No newline at end of file +- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) +- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md index 75556a83db..0e17d81790 100644 --- a/devices/hololens/hololens-whats-new.md +++ b/devices/hololens/hololens-whats-new.md @@ -1,18 +1,60 @@ --- title: What's new in Microsoft HoloLens (HoloLens) -description: Windows Holographic for Business gets new features in Windows 10, version 1803. +description: Windows Holographic for Business gets new features in Windows 10, version 1809. ms.prod: hololens ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 11/13/2018 --- # What's new in Microsoft HoloLens +## Windows 10, version 1809 for Microsoft HoloLens +### For everyone + +Feature | Details +--- | --- +Quick actions menu | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) +Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) +Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. +New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). +HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. +Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. +New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. +Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. +Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. + + + +### For administrators + + +Feature | Details +--- | --- +[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. +Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. +PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. +Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  +Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. +Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. + +### For international customers + + +Feature | Details +--- | --- +Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. +Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. + +[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens-install-localized.md) + + + +## Windows 10, version 1803 for Microsoft HoloLens Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: @@ -49,6 +91,6 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for ## Additional resources - [Reset or recover your HoloLens](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens) -- [Restart, rest, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) +- [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) - [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business) diff --git a/devices/hololens/images/account-management-details.png b/devices/hololens/images/account-management-details.png index 4094dabd85..20816830a4 100644 Binary files a/devices/hololens/images/account-management-details.png and b/devices/hololens/images/account-management-details.png differ diff --git a/devices/hololens/images/account-management.PNG b/devices/hololens/images/account-management.PNG index 34165dfcd6..da53cb74b8 100644 Binary files a/devices/hololens/images/account-management.PNG and b/devices/hololens/images/account-management.PNG differ diff --git a/devices/hololens/images/add-certificates.PNG b/devices/hololens/images/add-certificates.PNG index 24cb605d1c..7a16dffd26 100644 Binary files a/devices/hololens/images/add-certificates.PNG and b/devices/hololens/images/add-certificates.PNG differ diff --git a/devices/hololens/images/developer-setup-details.png b/devices/hololens/images/developer-setup-details.png index 0a32af7ba7..d445bf5759 100644 Binary files a/devices/hololens/images/developer-setup-details.png and b/devices/hololens/images/developer-setup-details.png differ diff --git a/devices/hololens/images/developer-setup.png b/devices/hololens/images/developer-setup.png index 826fda5f25..a7e49873b0 100644 Binary files a/devices/hololens/images/developer-setup.png and b/devices/hololens/images/developer-setup.png differ diff --git a/devices/hololens/images/finish.PNG b/devices/hololens/images/finish.PNG index 7c65da1799..975caba764 100644 Binary files a/devices/hololens/images/finish.PNG and b/devices/hololens/images/finish.PNG differ diff --git a/devices/hololens/images/set-up-device-details.PNG b/devices/hololens/images/set-up-device-details.PNG index 85b7dd382e..7325e06e86 100644 Binary files a/devices/hololens/images/set-up-device-details.PNG and b/devices/hololens/images/set-up-device-details.PNG differ diff --git a/devices/hololens/images/set-up-device.PNG b/devices/hololens/images/set-up-device.PNG index 0c9eb0e3ff..577117a26a 100644 Binary files a/devices/hololens/images/set-up-device.PNG and b/devices/hololens/images/set-up-device.PNG differ diff --git a/devices/hololens/images/set-up-network.PNG b/devices/hololens/images/set-up-network.PNG index a0e856c103..19fd3ff7bb 100644 Binary files a/devices/hololens/images/set-up-network.PNG and b/devices/hololens/images/set-up-network.PNG differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 2f5741df7e..9b7ed69845 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -22,9 +22,9 @@ ms.date: 07/27/2018 | Topic | Description | | --- | --- | | [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. | -[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build. | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management | | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time | +[Install localized version of HoloLens](hololens-install-localized.md) | Install the Chinese or Japanese version of HoloLens | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business | | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune | | [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. | diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 4e42bd0dad..dc313f8f5d 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -75,10 +75,16 @@ From here on, you'll need to finish the account creation process using PowerShel In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console: -- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149) +- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950) - [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids) - [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366) +Install the following module in Powershell +``` syntax + install-module AzureAD + Install-module MsOnline +``` + ### Connecting to online services 1. Run Windows PowerShell as Administrator. @@ -200,8 +206,7 @@ In order to enable Skype for Business, your environment will need to meet the fo 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool - "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: @@ -356,18 +361,22 @@ In order to enable Skype for Business, your environment will need to meet the fo Import-PSSession $cssess -AllowClobber ``` -2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: +2. Retrieve your Surface Hub account Registrar Pool + +If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```PowerShell + Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* + ``` + +3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` - If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - - ```PowerShell - Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* - ``` + diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index dc151c3165..47f420a4d0 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 0771aab258..65c471f4a1 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -132,7 +132,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | --- | --- | --- |---- | --- | --- | | Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes | +| Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Remote reboot diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index b9239014a4..0ae8b338d8 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -25,7 +25,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT |-------------|------------------| | Active Directory or Azure Active Directory (Azure AD) |

The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. | | Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync |

Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.

ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. | -| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | +| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.| | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | | Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.


**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.
**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index e68eb9a565..df57cb2c6d 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -10,11 +10,13 @@ ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) #### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) #### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +### [Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) ### [Battery Limit setting](battery-limit.md) +### [Surface Brightness Control](microsoft-surface-brightness-control.md) +### [Surface Asset Tag](assettag.md) ## [Surface firmware and driver updates](update.md) ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) -### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) ### [Surface Dock Updater](surface-dock-updater.md) ### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) ## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) @@ -26,6 +28,9 @@ ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) +## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) +### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Top support solutions for Surface devices](support-solutions-surface.md) ## [Change history for Surface documentation](change-history-for-surface.md) diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md new file mode 100644 index 0000000000..9771aacb0d --- /dev/null +++ b/devices/surface/assettag.md @@ -0,0 +1,112 @@ +--- +title: Surface Asset Tag Tool +description: This topic explains how to use the Surface Asset Tag Tool. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: coveminer +ms.author: v-jokai +ms.topic: article +ms.date: 02/01/2019 +--- + +# Surface Asset Tag Tool + +Surface Asset Tag is a command line interface (CLI) utility +that allows you to view, assign, and modify an assigned asset tag value +for Surface devices. It works on Surface Pro 3 and all newer Surface devices. + +## System requirements + + - Surface Pro 3 or later + + - UEFI firmware version 3.9.150.0 or later + +## Using Surface Asset Tag + +To run Surface Asset Tag: + +1. On the Surface device, download **Surface Pro 3 AssetTag.zip** from the [Microsoft Download + Center](http://www.microsoft.com/download/details.aspx?id=44076), + extract the zip file, and save AssetTag.exe in desired folder (in + this example, C:\\assets). + +2. Open a command console as an Administrator and run AssetTag.exe, + entering the full path to the tool. + +3. Restart Surface. + +### Asset Tag tool commands +In the following examples, AssetTag.exe is saved in a directory on a local machine (C:\assets). + +To get the proposed asset tag, run AssetTag -g. + +**Example** + + ``` + C:\assets\AssetTag.exe -g + ``` + + To clear the proposed asset tag, run AssetTag -s. + + **Example** + + ``` +C:\assets\AssetTag.exe -s + ``` +To set the proposed asset tag, run AssetTag -s testassettag12. + +**Example** + +``` +C:\assets\AssetTag.exe -s testassettag12 +``` + +>[!NOTE] +>The asset tag value must contain between 1 and 36 characters. Valid characters include A-Z, a-z, 0-9, period (.) and hyphen (-). + + +## Managing asset tags + +You can view the existing asset tag in the UEFI settings under Device +Information (**Control Panel > Recovery > Advanced Startup > Restart +now**.) + +The figure below shows the results of running the Asset Tag Tool on +Surface Go. + +![Results of running Surface Asset Tag tool on Surface Go. +](images/assettag-fig1.png) + +> **Figure 1.** Results of running Surface Asset Tag tool on Surface Go + +Alternately, you can use WMI to query the existing asset tag on a device: + +(Get-WmiObject -query “Select * from Win32_SystemEnclosure”) + +**Example** + + ``` +C:\Windows\System32> (Get-WmiObject -query “Select * from Win32_SystemEnclosure”) + ``` + +### Using PowerShell + +You can use the script below as a way of getting the proposed value and +interpreting any errors. + + ``` +AssetTag -g \> $asset\_tag 2\> $error\_message +$asset\_tag\_return\_code = $LASTEXITCODE +$asset\_tag = $asset\_tag.Trim(“\`r\`n”) + +if ($asset\_tag\_return\_code -eq 0) { +Write-Output (“Good Tag = ” + $asset\_tag) +} else { +Write-Output ( +“Failure: Code = ” + $asset\_tag\_return\_code + +“Tag = ” + $asset\_tag + +“Message = ” + $error\_message) + +} + ``` diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 1e86776942..dce83705cc 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -11,7 +11,7 @@ ms.author: jdecker ms.topic: article --- -# Battery Limit settings +# Battery Limit setting Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in cases in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions. diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 0e0ff5dcc7..9c34783c79 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,37 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## February 2019 + +New or changed topic | Description +--- | --- +[Surface Asset Tag](assettag.md) | New + + +## January 2019 + +New or changed topic | Description +--- | --- +[Surface Brightness Control](microsoft-surface-brightness-control.md) | New +[Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) | New +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 | + + +## November 2018 + +New or changed topic | Description +--- | --- +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 | +[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New +[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New +[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New + ## October 2018 New or changed topic | Description @@ -115,4 +139,4 @@ New or changed topic | Description -  \ No newline at end of file +  diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 116df9446d..1d736b1ece 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,6 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 10/15/2018 ms.author: jdecker ms.topic: article --- @@ -38,6 +37,16 @@ Recent additions to the downloads for Surface devices provide you with options t >[!NOTE] >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +## Surface Laptop 2 + +Download the following updates for [Surface Laptop 2 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57515). +* SurfaceLaptop2_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 + +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57514). + +* SurfacePro6_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 ## Surface GO @@ -46,29 +55,32 @@ Download the following updates for [Surface GO from the Microsoft Download Cente ## Surface Book 2 - Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261). * SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Laptop - Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489). * SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro - Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484). * SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro with LTE Advanced - Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278). + * SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514). + +* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi + ## Surface Studio @@ -76,6 +88,12 @@ Download the following updates for [Surface Studio from the Microsoft Download C * SurfaceStudio_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Studio 2 + +Download the following updates for [Surface Studio 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57593). + +* SurfaceStudio2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 + ## Surface Book diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 86d594455f..8477cac86f 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 086d18eead..0c64b39169 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -35,13 +35,13 @@ To create a Surface UEFI configuration package, follow these steps: 2. Click **Start**. 3. Click **Configuration Package**, as shown in Figure 1. - ![Create a package for SEMM enrollment](images\surface-semm-enroll-fig1.png "Create a package for SEMM enrollment") + ![Create a package for SEMM enrollment](images\surface-ent-mgmt-fig1-uefi-configurator.png "Create a package for SEMM enrollment") *Figure 1. Select Configuration Package to create a package for SEMM enrollment and configuration* 4. Click **Certificate Protection** to add your exported certificate file with private key (.pfx), as shown in Figure 2. Browse to the location of your certificate file, select the file, and then click **OK**. - ![Add the SEM certificate and Surface UEFI password to configuration package](images\surface-semm-enrollment-fig2.png "Add the SEM certificate and Surface UEFI password to configuration package") + ![Add the SEM certificate and Surface UEFI password to configuration package](images\surface-ent-mgmt-fig2-securepackage.png "Add the SEM certificate and Surface UEFI password to configuration package") *Figure 2. Add the SEMM certificate and Surface UEFI password to a Surface UEFI configuration package* @@ -57,14 +57,14 @@ To create a Surface UEFI configuration package, follow these steps: 9. Click **Next**. 10. If you want to deactivate a component on managed Surface devices, on the **Choose which components you want to activate or deactivate** page, click the slider next to any device or group of devices you want to deactivate so that the slider is in the **Off** position. (Shown in Figure 4.) The default configuration for each device is **On**. Click the **Reset** button if you want to return all sliders to the default position. - ![Disable or enable Surface components](images\surface-semm-enroll-fig4.png "Disable or enable Surface components") + ![Disable or enable Surface components](images\surface-ent-mgmt-fig3-enabledisable.png "Disable or enable Surface components") *Figure 4. Disable or enable individual Surface components* 11. Click **Next**. 12. To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package. - ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-semm-enroll-fig5.png "Control advanced Surface UEFI settings and Surface UEFI pages") + ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-ent-mgmt-fig4-advancedsettings.png "Control advanced Surface UEFI settings and Surface UEFI pages") *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM* @@ -74,7 +74,7 @@ To create a Surface UEFI configuration package, follow these steps: >[!NOTE] >Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator. -![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters") +![Display of certificate thumbprint characters](images\surface-ent-mgmt-fig5-success.png "Display of certificate thumbprint characters") *Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page* @@ -138,4 +138,4 @@ If you have not secured Surface UEFI with a password or a user enters the passwo ![Settings managed by SEMM disabled in Surface UEFI](images\surface-semm-enroll-fig12.png "Settings managed by SEMM disabled in Surface UEFI") -*Figure 12. Settings managed by SEMM will be disabled in Surface UEFI* \ No newline at end of file +*Figure 12. Settings managed by SEMM will be disabled in Surface UEFI* diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 2e6455f840..46c4dda2d0 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -32,9 +32,9 @@ Booting from the network (PXE boot) is only supported when you use an Ethernet a The following Ethernet devices are supported for network boot with Surface devices: -- Surface USB to Ethernet adapter +- Surface USB-C to Ethernet and USB 3.0 Adapter -- Surface USB 3.0 Ethernet adapter +- Surface USB 3.0 to Gigabit Ethernet Adapter - Surface Dock diff --git a/devices/surface/images/assettag-fig1.png b/devices/surface/images/assettag-fig1.png new file mode 100644 index 0000000000..5ccb36c85f Binary files /dev/null and b/devices/surface/images/assettag-fig1.png differ diff --git a/devices/surface/images/powerintrofig1.png b/devices/surface/images/powerintrofig1.png new file mode 100644 index 0000000000..d33b9922fd Binary files /dev/null and b/devices/surface/images/powerintrofig1.png differ diff --git a/devices/surface/images/powerintrofig1a.png b/devices/surface/images/powerintrofig1a.png new file mode 100644 index 0000000000..e704b940c9 Binary files /dev/null and b/devices/surface/images/powerintrofig1a.png differ diff --git a/devices/surface/images/powerintrofig2.png b/devices/surface/images/powerintrofig2.png new file mode 100644 index 0000000000..eea52a8f3d Binary files /dev/null and b/devices/surface/images/powerintrofig2.png differ diff --git a/devices/surface/images/powerintrofig2a.png b/devices/surface/images/powerintrofig2a.png new file mode 100644 index 0000000000..e00fe81105 Binary files /dev/null and b/devices/surface/images/powerintrofig2a.png differ diff --git a/devices/surface/images/powerintrofig3.png b/devices/surface/images/powerintrofig3.png new file mode 100644 index 0000000000..08e9cd36a3 Binary files /dev/null and b/devices/surface/images/powerintrofig3.png differ diff --git a/devices/surface/images/powerintrofig4.png b/devices/surface/images/powerintrofig4.png new file mode 100644 index 0000000000..f983673f35 Binary files /dev/null and b/devices/surface/images/powerintrofig4.png differ diff --git a/devices/surface/images/sdt-1.png b/devices/surface/images/sdt-1.png new file mode 100644 index 0000000000..fb10753608 Binary files /dev/null and b/devices/surface/images/sdt-1.png differ diff --git a/devices/surface/images/sdt-2.png b/devices/surface/images/sdt-2.png new file mode 100644 index 0000000000..be951967f0 Binary files /dev/null and b/devices/surface/images/sdt-2.png differ diff --git a/devices/surface/images/sdt-3.png b/devices/surface/images/sdt-3.png new file mode 100644 index 0000000000..0d3077cc1b Binary files /dev/null and b/devices/surface/images/sdt-3.png differ diff --git a/devices/surface/images/sdt-4.png b/devices/surface/images/sdt-4.png new file mode 100644 index 0000000000..babddbb240 Binary files /dev/null and b/devices/surface/images/sdt-4.png differ diff --git a/devices/surface/images/sdt-5.png b/devices/surface/images/sdt-5.png new file mode 100644 index 0000000000..5c5346d93a Binary files /dev/null and b/devices/surface/images/sdt-5.png differ diff --git a/devices/surface/images/sdt-6.png b/devices/surface/images/sdt-6.png new file mode 100644 index 0000000000..acf8e684b3 Binary files /dev/null and b/devices/surface/images/sdt-6.png differ diff --git a/devices/surface/images/sdt-7.png b/devices/surface/images/sdt-7.png new file mode 100644 index 0000000000..5e16961c6b Binary files /dev/null and b/devices/surface/images/sdt-7.png differ diff --git a/devices/surface/images/sdt-desk-1.png b/devices/surface/images/sdt-desk-1.png new file mode 100644 index 0000000000..f1ecc03b30 Binary files /dev/null and b/devices/surface/images/sdt-desk-1.png differ diff --git a/devices/surface/images/sdt-desk-2.png b/devices/surface/images/sdt-desk-2.png new file mode 100644 index 0000000000..3d066cb3e5 Binary files /dev/null and b/devices/surface/images/sdt-desk-2.png differ diff --git a/devices/surface/images/sdt-desk-3.png b/devices/surface/images/sdt-desk-3.png new file mode 100644 index 0000000000..bbd9709300 Binary files /dev/null and b/devices/surface/images/sdt-desk-3.png differ diff --git a/devices/surface/images/sdt-desk-4.png b/devices/surface/images/sdt-desk-4.png new file mode 100644 index 0000000000..f533646605 Binary files /dev/null and b/devices/surface/images/sdt-desk-4.png differ diff --git a/devices/surface/images/sdt-desk-5.png b/devices/surface/images/sdt-desk-5.png new file mode 100644 index 0000000000..664828762e Binary files /dev/null and b/devices/surface/images/sdt-desk-5.png differ diff --git a/devices/surface/images/sdt-desk-6.png b/devices/surface/images/sdt-desk-6.png new file mode 100644 index 0000000000..1b9ce9f7e2 Binary files /dev/null and b/devices/surface/images/sdt-desk-6.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png b/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png index 7ed392d31d..e8fb93a1a7 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png and b/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png b/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png index a1316359d3..fa47419ca0 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png and b/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png b/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png index 39b0c797e7..0a34907def 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png and b/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png b/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png index 405e8c4d7e..f425466056 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png and b/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig5-success.png b/devices/surface/images/surface-ent-mgmt-fig5-success.png index 508f76533c..e671570fee 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig5-success.png and b/devices/surface/images/surface-ent-mgmt-fig5-success.png differ diff --git a/devices/surface/index.md b/devices/surface/index.md index 20d2c00e79..e559820d25 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -31,6 +31,7 @@ For more information on planning for, deploying, and managing Surface devices in | [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. | | [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. | | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. | +| [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | Learn how to investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. | | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. | | [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. | | [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. | diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md new file mode 100644 index 0000000000..ce172d5600 --- /dev/null +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -0,0 +1,155 @@ +--- +title: Maintain optimal power settings +description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: coveminer +ms.author: v-jokai +ms.topic: article +ms.date: 01/17/2019 +--- + +# Maintain optimal power settings on Surface devices + +Surface devices are designed to take advantage of the latest advances in +mobile device energy consumption to deliver a streamlined experience +optimized across workloads. Depending on what you’re doing, Surface +dynamically fine tunes how power flows to individual hardware +components, momentarily waking up system components to handle background +tasks -- such as an incoming email or network traffic -- before returning to a +low power idle state (S0ix). + +The way Surface implements power management differs significantly from +the earlier OS standard that gradually reduces and turns off power via a +series of sleep states (S1, S2, S3). + +Instead, Surface is imaged with a custom power profile that replaces +legacy sleep and energy consumption functionality with modern standby +features and dynamic fine tuning. This custom power profile is +implemented via the Surface Serial Hub Driver and the system aggregator +module (SAM). The SAM chip functions as the Surface device power-policy +owner, using algorithms to calculate optimal power requirements. It +works in conjunction with Windows power manager to allocate or throttle +only the exact amount of power required for hardware components to +function. + +## Modern Standby + +The algorithmically embedded custom power profile enables modern standby +connectivity for Surface by maintaining a low power state for +instant on/instant off functionality typical of smartphones. S0ix, also +known as Deepest Runtime Idle Platform State (DRIPS), is the default +power mode for Surface devices. Modern standby has two modes: + + - **Connected standby.** The default mode for up-to-the minute + delivery of emails, messaging, and cloud-synced data, connected + standby keeps Wi-Fi on and maintains network connectivity. + + - **Disconnected standby.** An optional mode for extended battery + life, disconnected standby delivers the same instant-on experience + and saves power by turning off Wi-Fi, Bluetooth, and related network + connectivity. + +To learn more about modern standby, refer to the [Microsoft Hardware Dev +Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources). + +## How Surface streamlines the power management experience + +Surface integrates the following features designed to help users +optimize the power management experience: + + - [Singular power plan](#singular-power-plan) + + - [Simplified power settings user + interface](#simplified-power-settings-user-interface) + + - [Windows performance power + slider](#windows-performance-power-slider) + +### Singular power plan + +Surface is designed for a streamlined power management experience that +eliminates the need to create custom power plans or manually configure +power settings. Microsoft streamlines the user +experience by delivering a single power plan (balanced) that replaces +the multiple power plans from standard Windows builds. + +### Simplified power settings user interface +Surface provides a simplified UI in accord with best practice power +setting recommendations. In general, it's recommended to only adjust settings visible in the default user interface and avoid configuring advanced power settings or Group Policy settings. Using the default screen and sleep timeouts while avoiding maximum +brightness levels are the most effective ways for users to maintain +extended battery life. + +![Figure 1. Simplified power & sleep settings](images/powerintrofig1.png) + +Figure 1. Simplified power and sleep settings + +### Windows performance power slider + +Surface devices running Windows 10 build 1709 and later include a power +slider allowing you to prioritize battery life when needed or favor performance if desired. You +can access the power slider from the taskbar by clicking on the battery +icon. Slide left for longer battery life (battery saver mode) or slide +right for faster performance. + +![Figure 2. Power slider](images/powerintrofig2a.png) + +Figure 2. Power slider + +Power slider enables four states as described in the following table: + +| Slider mode| Description | +|---|---| +| Battery saver| Helps conserve power and prolong battery life when the system is disconnected from a power source. When battery saver is on, some Windows features are disabled, throttled, or behave differently. Screen brightness is also reduced. Battery saver is only available when using battery power (DC). To learn more, see [Battery Saver](https://docs.microsoft.com/en-us/windows-hardware/design/component-guidelines/battery-saver).| +| Recommended | Delivers longer battery life than the default settings in earlier versions of Windows. | +| Better Performance | Slightly favors performance over battery life, functioning as the default slider mode. | +| Best Performance | Favors performance over power for workloads requiring maximum performance and responsiveness, regardless of battery power consumption.| + +Power slider modes directly control specific hardware components shown +in the following table. + +| Component | Slider functionality | +|---|---| +| Intel Speed Shift (CPU energy registers) and Energy Performance Preference hint. | Selects the best operating frequency and voltage for optimal performance and power. The Energy Performance Preference (PERFEPP) is a global power efficiency hint to the CPU. | +| Fan speed (RPM)| Where applicable, adjusts for changing conditions such as keeping fan silent in battery saver slider mode.| +| Processor package power limits (PL1/PL2).| Requires the CPU to manage its frequency choices to accommodate a running average power limit for both steady state (PL1) and turbo (PL2) workloads.| +| Processor turbo frequency limits (IA turbo limitations). | Adjusts processor and graphics performance allowing processor cores to run faster or slower than the rated operating frequency. | + +>[!NOTE] +>The power slider is entirely independent of operating system power settings whether configured from Control Panel/ Power Options, Group Policy, or related methods. + +To learn more, see: + +- [Customize the Windows performance power + slider](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-power-slider) + +- [Battery + saver.](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver) + +## Best practices for extended battery life + + +| Best practice | Go to | Next steps | +|---|---|---| +| Ensure your Surface device is up to date| Windows Update | In the taskbar search box, type **Windows Update** and select **Check for updates**. | +| Choose the best power setting for what you’re doing | Power slider | In the taskbar, select the battery icon, then choose **Best performance**, **Best battery life**, or somewhere in between.| +| Conserve battery when it’s low | Battery saver | In the taskbar, select the battery icon and click **Battery settings**. Select **Turn battery saver on automatically if my battery falls below** and then move the slider further to the right for longer battery life. | +| Configure optimal screen brightness | Battery saver | In the taskbar, select the battery icon and click **Battery settings**, select **Lower screen brightness while in battery saver**. | +| Conserve power whenever you’re not plugged in | Battery saver| Select **Turn on battery saver status until next charge**.| +| Investigate problems with your power settings. | Power troubleshooter | In the Taskbar search for troubleshoot, select **Troubleshoot**, and then select **Power** and follow the instructions.| +| Check app usage | Your apps | Close apps.| +| Check your power cord for any damage.| Your power cord | Replace power cord if worn or damaged.| + +# Learn more + +- [Modern + standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources) + + + +- [Customize the Windows performance power + slider](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-power-slider) + +- [Battery + saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver) diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md deleted file mode 100644 index 45bf61629f..0000000000 --- a/devices/surface/manage-surface-dock-firmware-updates.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Manage Surface Dock firmware updates (Surface) -description: Read about the different methods you can use to manage the process of Surface Dock firmware updates. -ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F -ms.localizationpriority: medium -keywords: firmware, update, install, drivers -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: surface, devices -ms.sitesec: library -author: jobotto -ms.author: jdecker -ms.topic: article -ms.date: 07/27/2017 ---- - -# Manage Surface Dock firmware updates - - -Read about the different methods you can use to manage the process of Surface Dock firmware updates. - -The Surface Dock provides external connectivity to Surface devices through a single cable connection that includes Power, Ethernet, Audio, USB 3.0, and DisplayPort. The numerous connections provided by the Surface Dock are enabled by a smart chipset within the Surface Dock device. Like a Surface device’s chipset, the chipset that is built into the Surface Dock is controlled by firmware. For more information about the Surface Dock, see the [Surface Dock demonstration](https://technet.microsoft.com/mt697552) video. - -Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device. - - ->[!NOTE] ->You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links: ->- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics ->- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog - - -  - -The Surface Dock firmware update process shown in Figure 1 follows these steps: - -1. Drivers for Surface Dock are installed on Surface devices that are connected, or have been previously connected, to a Surface Dock. - -2. The drivers for Surface Dock are loaded when a Surface Dock is connected to the Surface device. - -3. The firmware version installed in the Surface Dock is compared with the firmware version staged by the Surface Dock driver. - -4. If the firmware version on the Surface Dock is older than the firmware version contained in the Surface Dock driver, the main chipset firmware update files are copied from the driver to the Surface Dock. - -5. When the Surface Dock is disconnected, the Surface Dock installs the firmware update to the main chipset. - -6. When the Surface Dock is connected again, the main chipset firmware is verified against the firmware present in the Surface Dock driver. - -7. If the firmware update for the main chipset is installed successfully, the Surface Dock driver copies the firmware update for the DisplayPort. - -8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply. - -![Surface Dock firmware update process](images/manage-surface-dock-fig1-updateprocess.png "Surface Dock firmware update process") - -*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater* - -*2 - The Surface Dock firmware installation process takes approximately 3 minutes* - -Figure 1. The Surface Dock firmware update process - -If the firmware installation process is interrupted (for example, if power is disconnected from the Surface Dock during firmware installation), the Surface Dock will automatically revert to the prior firmware without disruption to the user, and the update process will restart the next time the Surface Dock is disconnected. For most users this update process should be entirely transparent. - -## Methods for updating Surface Dock firmware - - -There are three methods you can use to update the firmware of the Surface Dock: - -- [Automatic installation of drivers with Windows Update](#automatic-installation) - -- [Deployment of drivers downloaded from the Microsoft Download Center](#deployment-dlc) - -- [Manually update with Microsoft Surface Dock Updater](#manual-updater) - -## Automatic installation with Windows Update - - -Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use. - ->[!NOTE] ->The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using. - -  - -## Deployment of drivers downloaded from the Microsoft Download Center - - -This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method. - -For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application). - ->[!NOTE] ->When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in: -> **HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters** - -Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset: - -- **Component*xx*CurrentFwVersion** – This key displays the version of firmware that is installed on the currently connected or most recently connected Surface Dock. - -- **Component*xx*OfferFwVersion** – This key displays the version of firmware staged by the Surface Dock driver. - -- **Component*xx*FirmwareUpdateStatus** – This key displays the stage of the Surface Dock firmware update process. - -- **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware. - ->[!NOTE] ->These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment. - -  - -## Manually update with Microsoft Surface Dock Updater - - -The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock. - -For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. - -  - -  - - - - - diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md new file mode 100644 index 0000000000..b9910dfc97 --- /dev/null +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -0,0 +1,64 @@ +--- +title: Surface Brightness Control +description: This topic describes how you can use the Surface Brightness Control app to manage display brightness in point-of-sale and kiosk scenarios. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: coveminer +ms.author: jdecker +ms.topic: article +ms.date: 1/15/2019 +--- + +# Surface Brightness Control + +When deploying Surface devices in point of sale or other “always-on” +kiosk scenarios, you can optimize power management using the new Surface +Brightness Control app. + +Available for download with [Surface Tools for +IT](https://www.microsoft.com/download/details.aspx?id=46703), Surface Brightness Control is +designed to help reduce thermal load and lower the overall carbon +footprint for deployed Surface devices. The tool automatically dims the screen when not in use and +includes the following configuration options: + + - Period of inactivity before dimming the display. + + - Brightness level when dimmed. + + - Maximum brightness level when in use. + +**To run Surface Brightness Control:** + + - Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control + will begin working immediately. + +## Configuring Surface Brightness Control + +You can adjust the default values via the Windows Registry. For more +information about using the Windows Registry, refer to the [Registry +documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry). + +1. Run regedit from a command prompt to open the Windows Registry + Editor. + + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + Brightness Control\ + + +| Registry Setting | Data| Description +|-----------|------------|--------------- +| Brightness Control Enabled | Default: 01
Option: 01, 00
Type: REG_BINARY | This setting allows you to turn Surface Brightness Control on or off. To disable Surface Brightness Control, set the value to 00. If you do not configure this setting, Surface Brightness Control is on. | +| Brightness Control On Power Enabled| Default: 01
Options: 01, 00
Type: REG_BINARY | This setting allows you to turn off Surface Brightness Control when the device is directly connected to power. To disable Surface Brightness Control when power is plugged in, set the value to 00. If you do not configure this setting, Surface Brightness Control is on. | +| Dimmed Brightness | Default: 20
Option: Range of 0-100 percent of screen brightness
Data Type: Positive integer
Type: REG_DWORD | This setting allows you to manage brightness range during periods of inactivity. If you do not configure this setting, the brightness level will drop to 20 percent of full brightness after 30 seconds of inactivity. | +Full Brightness | Default: 100
Option: Range of 0-100 percent of screen brightness
Data Type: Positive integer
Type: REG_DWORD | This setting allows you to manage the maximum brightness range for the device. If you do not configure this setting, the maximum brightness range is 100 percent.| +| Inactivity Timeout| Default: 30 seconds
Option: Any numeric value
Data Type: Integer
Type: REG_DWORD | This setting allows you to manage the period of inactivity before dimming the device. If you do not configure this setting, the inactivity timeout is 30 seconds.| +| Telemetry Enabled | Default: 01
Option: 01, 00
Type: REG_BINARY | This setting allows you to manage the sharing of app usage information to improve software and provide better user experience. To disable telemetry, set the value to 00. If you do not configure this setting, telemetry information is shared with Microsoft in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). | + + + +## Related topics + +- [Battery limit setting](battery-limit.md) + diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 3e3aa60025..23e0c2dd91 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -57,6 +57,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include: >[!NOTE] >Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function. +>[!NOTE] +>Surface Data Eraser on Surface Studio and Surface Studio 2 can take up to 6 minutes to boot into WinPE before disk erasure can occur. + ## How to create a Microsoft Surface Data Eraser USB stick @@ -150,6 +153,22 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.78.0 +*Release Date: 4 Dec 2018* + +This version of Surface Data Eraser: + +- Includes bug fixes + + +### Version 3.2.75.0 +*Release Date: 12 November 2018* + +This version of Surface Data Eraser: + +- Adds support to Surface Studio 2 +- Fixes issues with SD card + ### Version 3.2.69.0 *Release Date: 12 October 2018* diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md new file mode 100644 index 0000000000..7325a15492 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -0,0 +1,165 @@ +--- +title: Surface Diagnostic Toolkit for Business +description: This topic explains how to use the Surface Diagnostic Toolkit for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Surface Diagnostic Toolkit for Business + +The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues. + +Specifically, SDT for Business enables you to: + +- [Customize the package.](#create-custom-sdt) +- [Run the app using commands.](surface-diagnostic-toolkit-command-line.md) +- [Run multiple hardware tests to troubleshoot issues.](surface-diagnostic-toolkit-desktop-mode.md#multiple) +- [Generate logs for analyzing issues.](surface-diagnostic-toolkit-desktop-mode.md#logs) +- [Obtain detailed report comparing device vs optimal configuration.](surface-diagnostic-toolkit-desktop-mode.md#detailed-report) + + +## Primary scenarios and download resources + +To run SDT for Business, download the components listed in the following table. + +>[!NOTE] +>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (msiexec.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md). + +Mode | Primary scenarios | Download | Learn more +--- | --- | --- | --- +Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.
Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:
Microsoft Surface Diagnostic Toolkit for Business Installer
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:
`-DataCollector` collects all log files
`-bpa` runs health diagnostics using Best Practice Analyzer.
`-windowsupdate` checks Windows update for missing firmware or driver updates.

**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app:
Microsoft Surface Diagnostics App Console
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md) + +## Supported devices + +SDT for Business is supported on Surface 3 and later devices, including: + +- Surface Pro 6 +- Surface Laptop 2 +- Surface Go +- Surface Go with LTE +- Surface Book 2 +- Surface Pro with LTE Advanced (Model 1807) +- Surface Pro (Model 1796) +- Surface Laptop +- Surface Studio +- Surface Studio 2 +- Surface Book +- Surface Pro 4 +- Surface 3 LTE +- Surface 3 +- Surface Pro 3 + +## Installing Surface Diagnostic Toolkit for Business + +To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags: + +- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry. +- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`. + +**To install SDT in ADMINMODE:** + +1. Sign in to your Surface device using the Administrator account. +2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop. +3. Open a command prompt and enter: + + ``` + msiexec.exe /i ADMINMODE=1. + ``` + **Example:** + + ``` + C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1 + ``` + +4. The SDT setup wizard appears, as shown in figure 1. Click **Next**. + + >[!NOTE] + >If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer. + + ![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png) + + *Figure 1. Surface Diagnostic Toolkit setup wizard* + +5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package. + +6. Click **Next** and then click **Install**. + +## Locating SDT on your Surface device + +Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`. + +In addition to the .exe file, SDT installs a JSON file and an admin.dll file (modules\admin.dll), as shown in figure 2. + +![list of SDT installed files in File Explorer](images/sdt-2.png) + +*Figure 2. Files installed by SDT* + + +## Preparing the SDT package for distribution + +Creating a custom package allows you to target the tool to specific known issues. + +1. Click **Start > Run**, enter **Surface** and then click **Surface Diagnostic Toolkit for Business**. +2. When the tool opens, click **Create Custom Package**, as shown in figure 3. + + ![Create custom package option](images/sdt-3.png) + + *Figure 3. Create custom package* + +### Language and telemetry page + + +When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline. + +>[!NOTE] +>This setting is limited to only sharing data generated while running packages. + +![Select language and telemetry settings](images/sdt-4.png) + +*Figure 4. Select language and telemetry settings* + +### Windows Update page + +Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate. + +![Select Windows Update option](images/sdt-5.png) + +*Figure 5. Windows Update option* + +### Software repair page + +This allows you to select or remove the option to run software repair updates. + +![Select software repair option](images/sdt-6.png) + +*Figure 6. Software repair option* + +### Collecting logs and saving package page + +You can select to run a wide range of logs across applications, drivers, hardware, and the operating system. Click the appropriate area and select from the menu of available logs. You can then save the package to a software distribution point or equivalent location that users can access. + +![Select log options](images/sdt-7.png) + +*Figure 7. Log option and save package* + +## Next steps + +- [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) + + + + + + + + + + + diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md new file mode 100644 index 0000000000..8d5cf4009c --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -0,0 +1,148 @@ +--- +title: Run Surface Diagnostic Toolkit for Business using commands +description: How to run Surface Diagnostic Toolkit in a command console +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Run Surface Diagnostic Toolkit for Business using commands + +Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. + +>[!NOTE] +>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. + +## Running SDT app console + +Download and install SDT app console from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703). You can use the Windows command prompt (cmd.exe) or Windows PowerShell to: + +- Collect all log files. +- Run health diagnostics using Best Practice Analyzer. +- Check update for missing firmware or driver updates. + +>[!NOTE] +>In this release, the SDT app console supports single commands only. Running multiple command line options requires running the console exe separately for each command. + +By default, output files are saved in the same location as the console app. Refer to the following table for a complete list of commands. + +Command | Notes +--- | --- +-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.

**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip` +-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.

**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html` +-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.

**Example**:
Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate +-warranty "output file" | Checks warranty information on the device (valid or invalid). The optional “output file” is the file path to create the xml file.

**Example**:
Microsoft.Surface.Diagnostics.App.Console.exe –warranty “warranty.xml” + + +>[!NOTE] +>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes. + +## Running Best Practice Analyzer + +You can run BPA tests across key components such as BitLocker, Secure Boot, and Trusted Platform Module (TPM) and then output the results to a shareable file. The tool generates a series of tables with color-coded headings and condition descriptors along with guidance about how to approach resolving the issue. + +- Green indicates the component is running in an optimal condition (optimal). +- Orange indicates the component is not running in an optimal condition (not optimal). +- Red indicates the component is in an abnormal state. + +### Sample BPA results output + + + + + + + +
BitLocker
Description:Checks if BitLocker is enabled on the system drive.
Value:Protection On
Condition:Optimal
Guidance:It is highly recommended to enable BitLocker to protect your data.
+ + + + + + + +
Secure Boot
Description:Checks if Secure Boot is enabled.
Value:True
Condition:Optimal
Guidance:It is highly recommended to enable Secure Boot to protect your PC.
+ + + + + + + +
Trusted Platform Module
Description:Ensures that the TPM is functional.
Value:True
Condition:Optimal
Guidance:Without a functional TPM, security-based functions such as BitLocker may not work properly.
+ + + + + + + +
Connected Standby
Description:Checks if Connected Standby is enabled.
Value:True
Condition:Optimal
Guidance:Connected Standby allows a Surface device to receive updates and notifications while not being used. For best experience, Connected Standby should be enabled.
+ + + + + + + +
Bluetooth
Description:Checks if Bluetooth is enabled.
Value:Enabled
Condition:Optimal
Guidance:
+ + + + + + + +
Debug Mode
Description:Checks if the operating system is in Debug mode.
Value:Normal
Condition:Optimal
Guidance:The debug boot option enables or disables kernel debugging of the Windows operating system. Enabling this option can cause system instability and can prevent DRM (digital rights managemend) protected media from playing.
+ + + + + + + +
Test Signing
Description:Checks if Test Signing is enabled.
Value:Normal
Condition:Optimal
Guidance:Test Signing is a Windows startup setting that should only be used to test pre-release drivers.
+ + + + + + + +
Active Power Plan
Description:Checks that the correct power plan is active.
Value:Balanced
Condition:Optimal
Guidance:It is highly recommended to use the "Balanced" power plan to maximize productivity and battery life.
+ + + + + + + +
Windows Update
Description:Checks if the device is up to date with Windows updates.
Value:Microsoft Silverlight (KB4023307), Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.279.1433.0)
Condition:Not Optimal
Guidance:Updating to the latest windows makes sure you are on the latest firmware and drivers. It is recommended to always keep your device up to date
+ + + + + + + +
Free Hard Drive Space
Description:Checks for low free hard drive space.
Value:66%
Condition:Optimal
Guidance:For best performance, your hard drive should have at least 10% of its capacity as free space.
+ + + + + + + +
Non-Functioning Devices
Description:List of non-functioning devices in Device Manager.
Value:
Condition:Optimal
Guidance:Non-functioning devices in Device Manager may cause unpredictable problems with Surface devices such as, but not limited to, no power savings for the respective hardware component.
+ + + + + + + +
External Monitor
Description:Checks for an external monitor that may have compatibility issues.
Value:
Condition:Optimal
Guidance:Check with the original equipment manufacturer for compatibility with your Surface device.
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md new file mode 100644 index 0000000000..ee76845656 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -0,0 +1,99 @@ +--- +title: Use Surface Diagnostic Toolkit for Business in desktop mode +description: How to use SDT to help users in your organization run the tool to identify and diagnose issues with the Surface device. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Use Surface Diagnostic Toolkit for Business in desktop mode + +This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. + +1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. + +2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1. + + ![Start SDT in desktop mode](images/sdt-desk-1.png) + + *Figure 1. SDT in desktop mode* + +3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2. + + ![Select from SDT options](images/sdt-desk-2.png) + + *Figure 2. Select from SDT options* + +4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test. + + ![Select hardware tests](images/sdt-desk-3.png) + + *Figure 3. Select hardware tests* + + Hardware test | Description + --- | --- + Power Supply and Battery | Checks Power supply is functioning optimally + Display and Sound | Checks brightness, stuck or dead pixels, speaker and microphone functioning + Ports and Accessories | Checks accessories, screen attach and USB functioning + Connectivity | Checks Bluetooth, wireless and LTE connectivity + Security | Checks security related issues + Touch | Checks touch related issues + Keyboard and touch | Checks integrated keyboard connection and type cover + Sensors | Checks functioning of different sensors in the device + Hardware | Checks issues with different hardware components such as graphics card and camera + + + + + + +## Running multiple hardware tests to troubleshoot issues + +SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. + +For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it. + +![Running hardware diagnostics](images/sdt-desk-4.png) + +*Figure 4. Running hardware diagnostics* + +1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. +2. If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**. +3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report, including the possible causes of any hardware issues along with guidance for resolution. + + +### Repairing applications + +SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5. + +![Running repairs](images/sdt-desk-5.png) + +*Figure 5. Running repairs* + + + + + +### Generating logs for analyzing issues + +SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6. + +![Generating logs](images/sdt-desk-6.png) + +*Figure 6. Generating logs* + + + + +### Generating detailed report comparing device vs. optimal configuration + +Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location. + +## Related topics + +- [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) + diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 925b058eb0..10b49c4719 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -27,7 +27,7 @@ When you run the Microsoft Surface Dock Updater installer you will be prompted t >Updating Surface Dock firmware requires connectivity to the Surface Dock via the Surface Connect™ port. Installation of the Microsoft Surface Dock Updater is only supported on devices that feature the Surface Connect™ port. >[!NOTE] ->The Surface Dock Updater tool is unable to run on Windows 10 S. Surface Dock devices used with Surface Laptop with Windows 10 S will receive updates natively through Windows Update. To manually update a Surface Dock for use with Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows 10 Enterprise environment. +>The Surface Dock Updater tool is unable to run on Windows 10 S. To manually update a Surface Dock for use with Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows 10 Enterprise environment. ## Update a Surface Dock with Microsoft Surface Dock Updater @@ -112,7 +112,7 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in ## Changes and updates -Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-dock-firmware-updates). +Microsoft periodically updates Surface Dock Updater. >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. @@ -191,7 +191,7 @@ This version of Surface Dock Updater adds support for the following: * Update for Surface Dock DisplayPort firmware -## Related topics + -[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) + diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 77fc4c027c..e42a925b72 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -17,7 +17,7 @@ ms.date: 01/06/2017 Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. >[!NOTE] ->SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). +>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. @@ -25,7 +25,7 @@ There are two administrative options you can use to manage SEMM and enrolled Sur ## Microsoft Surface UEFI Configurator -The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. +The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. ![Microsoft Surface UEFI Configurator](images\surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator") @@ -74,14 +74,15 @@ You can enable or disable the following devices with SEMM: * Docking USB Port * On-board Audio +* DGPU * Type Cover -* Micro SD or SD Card Slots +* Micro SD Card * Front Camera * Rear Camera * Infrared Camera, for Windows Hello * Bluetooth Only * Wi-Fi and Bluetooth -* Trusted Platform Module (TPM) +* LTE You can configure the following advanced settings with SEMM: @@ -89,9 +90,12 @@ You can configure the following advanced settings with SEMM: * Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device * Lock the boot order to prevent changes * Support for booting to USB devices +* Enable Network Stack boot settings +* Enable Auto Power On boot settings * Display of the Surface UEFI **Security** page * Display of the Surface UEFI **Devices** page * Display of the Surface UEFI **Boot** page +* Display of the Surface UEFI **DateTime** page >[!NOTE] >When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. @@ -116,7 +120,7 @@ These characters are the last two characters of the certificate thumbprint and s >6. **All** or **Properties Only** must be selected in the **Show** drop-down menu. >7. Select the field **Thumbprint**. -To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM. +To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file with administrative privileges on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM. For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/itpro/surface/enroll-and-configure-surface-devices-with-semm). @@ -189,10 +193,43 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must >[!NOTE] >For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick. +### Managing certificates FAQ + +The recommended *minimum* length is 15 months. You can use a +certificate that expires in less than 15 months or use a certificate +that expires in longer than 15 months. + +>[!NOTE] +>When a certificate expires, it does not automatically renew. + +**Will existing machines continue to apply the bios settings after 15 +months?** + +Yes, but only if the package itself was signed when the certificate was +valid. + +**Will** **the SEMM package and certificate need to be updated on all +machines that have it?** + +If you want SEMM reset or recovery to work, the certificate needs to be +valid and not expired. You can use the current valid ownership +certificate to sign a package that updates to a new certificate for +ownership. You do not need to create a reset package. + +**Can bulk reset packages be created for each surface that we order? Can +one be built that resets all machines in our environment?** + +The PowerShell samples that create a config package for a specific +device type can also be used to create a reset package that is +serial-number independent. If the certificate is still valid, you can +create a reset package using PowerShell to reset SEMM. + ## Version History +### Version 2.26.136.0 +* Add support to Surface Studio 2 -### Version 2.21.136.9 +### Version 2.21.136.0 * Add support to Surface Pro 6 * Add support to Surface Laptop 2 diff --git a/devices/surface/update.md b/devices/surface/update.md index 29e0b9517b..df7a6e3c5d 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -8,7 +8,7 @@ ms.sitesec: library author: heatherpoulsen ms.author: jdecker ms.topic: article -ms.date: 12/01/2016 +ms.date: 11/13/2018 --- # Surface firmware and driver updates @@ -22,7 +22,6 @@ Find out how to download and manage the latest firmware and driver updates for y |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. | | [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| | [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.| -| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.| | [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|   diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index e4f3b0a922..08390d3c46 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -52,6 +52,6 @@ Enrolling Surface devices in Windows Autopilot at the time of purchase is a capa When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: -- [SHI](https://www.shi.com/?reseller=shi) -- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html) -- [Atea](https://www.atea.com/) \ No newline at end of file +- [SHI](https://www.shi.com/Surface) +- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) +- [Atea](https://www.atea.com/) diff --git a/education/docfx.json b/education/docfx.json index c01be28758..227546b56a 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index 97ddde85fb..890ee785d2 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -1,43 +1,42 @@ ---- -title: Change history for Microsoft Education Get Started -description: New and changed topics in the Microsoft Education get started guide. -keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history +--- +title: Change history for Microsoft Education Get Started +description: New and changed topics in the Microsoft Education get started guide. +keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -author: CelesteDG -ms.author: celested -ms.date: 07/07/2017 ---- - -# Change history for Microsoft Education Get Started - -This topic lists the changes in the Microsoft Education IT admin get started. - -## July 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | -| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | -| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | -| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | -| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | -| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | -| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | -| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | - - -## June 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | - -## May 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +ms.author: celested +ms.date: 07/07/2017 +--- + +# Change history for Microsoft Education Get Started + +This topic lists the changes in the Microsoft Education IT admin get started. + +## July 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | +| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | +| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | +| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | +| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | +| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | +| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | +| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | + + +## June 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | + +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index caf9b51520..6da930b66d 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -3,7 +3,6 @@ title: Configure Microsoft Store for Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index bab1e61628..5d3af7dc3d 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -3,7 +3,6 @@ title: Enable Microsoft Teams for your school description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index b15394f6ac..120b357bc2 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -3,7 +3,6 @@ title: Finish Windows 10 device setup and other tasks description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 39dad1f8e4..6df81f8b27 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -3,7 +3,6 @@ title: Deploy and manage a full cloud IT solution with Microsoft Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: hero-article diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 82ee6a90cd..01a5f5b4a9 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -3,7 +3,6 @@ title: Set up an Office 365 Education tenant description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md index 5b79384b77..a62a0e282d 100644 --- a/education/get-started/set-up-windows-10-education-devices.md +++ b/education/get-started/set-up-windows-10-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 education devices description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index ba8630edd9..e1f8ef557e 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 devices using Windows OOBE description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index baef903733..d1ab32cfa9 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -3,7 +3,6 @@ title: Use Intune for Education to manage groups, apps, and settings description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index f880134137..f2bcfb50f9 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -3,7 +3,6 @@ title: Use School Data Sync to import student data description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/images/M365-education.svg b/education/images/M365-education.svg index 7f83629296..9591f90f68 100644 --- a/education/images/M365-education.svg +++ b/education/images/M365-education.svg @@ -1,4 +1,4 @@ - +
@@ -44,7 +45,7 @@ ms.date: 10/30/2017
  • - +
    @@ -90,7 +91,7 @@ ms.date: 10/30/2017
    - +
    @@ -109,7 +110,7 @@ ms.date: 10/30/2017
    - +
    diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index 652ef9e87c..0861f90f74 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -3,7 +3,6 @@ title: Educator Trial in a Box Guide description: Need help or have a question about using Microsoft Education? Start here. keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article @@ -162,7 +161,7 @@ Use video to create a project summary. 1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. -2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. +2. Open Microsoft Edge and visit https://aka.ms/PhotosTIB to download a zip file of the project media. 3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. diff --git a/education/trial-in-a-box/images/it-admin1.svg b/education/trial-in-a-box/images/it-admin1.svg index f69dc4d324..695337f601 100644 --- a/education/trial-in-a-box/images/it-admin1.svg +++ b/education/trial-in-a-box/images/it-admin1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student1.svg b/education/trial-in-a-box/images/student1.svg index 832a1214ae..25c267bae9 100644 --- a/education/trial-in-a-box/images/student1.svg +++ b/education/trial-in-a-box/images/student1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student2.svg b/education/trial-in-a-box/images/student2.svg index 6566eab49b..5d473d1baf 100644 --- a/education/trial-in-a-box/images/student2.svg +++ b/education/trial-in-a-box/images/student2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher1.svg b/education/trial-in-a-box/images/teacher1.svg index 7db5c7dd32..00feb1e22a 100644 --- a/education/trial-in-a-box/images/teacher1.svg +++ b/education/trial-in-a-box/images/teacher1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher2.svg b/education/trial-in-a-box/images/teacher2.svg index e4f1cd4b74..592c516120 100644 --- a/education/trial-in-a-box/images/teacher2.svg +++ b/education/trial-in-a-box/images/teacher2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 4a891bb989..c91f1c0264 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index a8ba174071..49d37afbff 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -3,7 +3,6 @@ title: IT Admin Trial in a Box Guide description: Try out Microsoft 365 Education to implement a full cloud infrastructure for your school, manage devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 11a23af4ec..cc82641391 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box Support description: Need help or have a question about using Microsoft Education Trial in a Box? Start here. keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 8a5441c5cc..3ab4c50a66 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -3,7 +3,6 @@ title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. keywords: Autopilot Reset, Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 76c3513812..4185c9baae 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -3,7 +3,6 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index b7173afa9b..58dcd89d1e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -3,13 +3,12 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: MikeBlodge -ms.author: MikeBlodge +ms.author: jaimeo ms.date: 04/30/2018 --- diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 5ca42d662f..e981deb743 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,7 +4,6 @@ description: In this guide you will learn how to migrate a Google Chromebook-bas ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device, Chromebook migration ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 25b1199a54..9d1acc0a3c 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -5,7 +5,6 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school, educ ms.mktglfcycl: plan ms.sitesec: library ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.localizationpriority: medium author: CelesteDG @@ -149,7 +148,7 @@ For example: ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) ## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at http://www.bing.com/classroom/about-us. +Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at https://www.bing.com/classroom/about-us. > [!NOTE] > If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge). diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index 3b0c7b4e62..f8c2aecdf4 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -1,32 +1,31 @@ ---- -title: Create tests using Microsoft Forms -description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. -keywords: school, Take a Test, Microsoft Forms +--- +title: Create tests using Microsoft Forms +description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. +keywords: school, Take a Test, Microsoft Forms ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -author: CelesteDG -ms.author: celested -redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms ---- - -# Create tests using Microsoft Forms -**Applies to:** - -- Windows 10 - - -For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. - -To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. - -Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. - -[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) - - -## Related topics - -[Take tests in Windows 10](take-tests-in-windows-10.md) +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +ms.author: celested +redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms +--- + +# Create tests using Microsoft Forms +**Applies to:** + +- Windows 10 + + +For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. + +To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. + +Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. + +[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index f33287b723..67bf3f18d4 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library @@ -1616,7 +1615,7 @@ As a final quality control step, verify the device configuration to ensure that * The device can connect to the Internet and view the appropriate web content in Microsoft Edge. * Windows Update is active and current with software updates. -* Windows Defender is active and current with malware signatures. +* Windows Defender is active and current with malware Security intelligence. * The SmartScreen Filter is active. * All Microsoft Store apps are properly installed and updated. * All Windows desktop apps are properly installed and updated. @@ -1670,7 +1669,7 @@ For more information about completing this task when you have:
    -Verify that Windows Defender is active and current with malware signatures.


    +Verify that Windows Defender is active and current with malware Security intelligence.

    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02) and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03). x diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index d430864463..319f6b217d 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library @@ -1078,7 +1077,7 @@ As a final quality control step, verify the device configuration to ensure that - The device can connect to the Internet and view the appropriate web content in Microsoft Edge. - Windows Update is active and current with software updates. -- Windows Defender is active and current with malware signatures. +- Windows Defender is active and current with malware Security intelligence. - The SmartScreen Filter is active. - All Microsoft Store apps are properly installed and updated. - All Windows desktop apps are properly installed and updated. @@ -1136,7 +1135,7 @@ For more information about completing this task when you have: -Verify that Windows Defender is active and current with malware signatures.

    +Verify that Windows Defender is active and current with malware Security intelligence.

    For more information about completing this task, see [Turn Windows Defender on or off](https://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](https://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). X X diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 17435853f2..82c72e22f5 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -8,8 +8,7 @@ ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 --- # Deployment recommendations for school IT administrators diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index d90e41f458..af93be32ee 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,7 +2,7 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ searchScope: - Store author: trudyha ms.author: trudyha -ms.date: 3/30/2018 -ms.technology: Windows +ms.date: 03/30/2018 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index a184220261..f58a24b82c 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -3,13 +3,12 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: kaushika-msft -ms.author: +ms.author: kaushik ms.date: 07/30/2018 --- @@ -54,8 +53,8 @@ process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-sce publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" - xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"> 1 @@ -100,8 +99,8 @@ Education customers who wish to avoid the additional overhead associated with Wi publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" - xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"> 1 diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md index 6fb8b22725..d0b001b4b7 100644 --- a/education/windows/get-minecraft-device-promotion.md +++ b/education/windows/get-minecraft-device-promotion.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition with your Windows 10 device promotion description: Windows 10 device promotion for Minecraft Education Edition licenses keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 06/05/2018 -ms.technology: Windows --- # Get Minecraft: Education Edition with Windows 10 device promotion diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 11aeea97ed..b4d1febe79 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 07/27/2017 -ms.technology: Windows +ms.date: 01/29/2019 ms.topic: conceptual --- @@ -22,7 +21,7 @@ ms.topic: conceptual - Windows 10 -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. +[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/images/1812_Add_Apps_SUSPC.png b/education/windows/images/1812_Add_Apps_SUSPC.png new file mode 100644 index 0000000000..b494aea2dd Binary files /dev/null and b/education/windows/images/1812_Add_Apps_SUSPC.png differ diff --git a/education/windows/index.md b/education/windows/index.md index 5f82e1d09a..d30a753c88 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -3,7 +3,6 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index 285f3bea98..363cc0b93e 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -5,11 +5,10 @@ keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, W ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 -ms.technology: Windows ms.sitesec: library ms.pagetype: edu -ms.date: 04/30/2018 -author: Mikeblodge +ms.date: 12/03/2018 +author: jaimeo --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode @@ -54,7 +53,7 @@ Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode
    Tenant-wide Windows 10 Pro > Pro Education > [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to roll back this kind of switch is through a [bare metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ### Devices running Windows 10, version 1709 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index d2daacd44e..1437894aa9 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,7 +2,7 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 -ms.technology: Windows +ms.date: 01/30/2019 ms.topic: conceptual --- @@ -21,11 +20,24 @@ ms.topic: conceptual - Windows 10 -When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. +When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] >If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). +## Settings for Office 365 A3 or Office 365 A5 customers + +Schools that purchased these products have an extra option for making Minecraft: Education Edition available to their students: +- Office 365 A3 or Office 365 A5 +- Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5 +- Minecraft: Education Edition + +If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Office 365 A3 or Office 365 A5. On your Office 365 A3 or Office 365 A5 details page in **Microsoft Store for Education**, under **Settings & actions**, you can select **Allow access to Minecraft: Education Edition for users of Office 365 A3 or Office 365 A5**. + +When this setting is selected, students in your tenant can use Minecraft: Education Edition even if they do not have a trial or a direct license assigned to them. + +If you turn off this setting after students have been using Minecraft: Education Edition, they will have 25 more days to use Minecraft: Education Edition before they do not have access. + ## Add Minecraft to your Microsoft Store for Education You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies). @@ -34,7 +46,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions ### Minecraft: Education Edition - direct purchase -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**. +1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 16b59b9799..ecfbf5b1fc 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -3,14 +3,13 @@ title: Azure AD Join with Setup School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 07/13/2018 +ms.date: 01/11/2019 --- # Azure AD Join for school PCs @@ -76,7 +75,7 @@ to delete. 3. Select and delete inactive and expired user accounts. ### How do I know if my package expired? -Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts. +Automated Azure AD tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts. ![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspc-admin-token-delete-1807.png) diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 021860eac7..030e698372 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -3,7 +3,6 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -83,23 +82,21 @@ For a more detailed look of each policy listed, see [Policy CSP](https://docs.mi |Updates Windows | Nightly | Sets Windows to update on a nightly basis. | ## Apps uninstalled from Windows 10 devices -Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. The following table lists all apps uninstalled from Windows 10 devices. +Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include: -|App name |Application User Model ID | -|---------|---------| -|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe | -|Bing Weather | Microsoft.BingWeather_8wekyb3d8bbwe | -|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe| -|Get Started | Microsoft.Getstarted_8wekyb3d8bbw | -|Messaging|Microsoft.Messaging_8wekyb3d8bbwe -|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe | -|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe | -|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe| -|Paid Wi-Fi & Cellular | Microsoft.OneConnect_8wekyb3d8bbwe | -|Feedback Hub | Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe | -|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe | -|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe| +* Mixed Reality Viewer +* Weather +* Desktop App Installer +* Tips +* Messaging +* My Office +* Microsoft Solitaire Collection +* Mobile Plans +* Feedback Hub +* Xbox +* Mail/Calendar +* Skype ## Apps installed on Windows 10 devices Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include: diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index 6276de2a50..3b3a9148a0 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -3,7 +3,6 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index d826440afe..957af5e711 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -3,7 +3,6 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index e942cf9a0a..4d555813ad 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -3,18 +3,28 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 10/23/2018 +ms.date: 01/11/2019 --- # What's new in Set up School PCs -Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases. +Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases. + +## Week of December 31, 2019 + +### Add Microsoft Whiteboard to provisioning package +Microsoft Whiteboard has been added to the list of Microsoft-recommended apps for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together so students can create and collaborate in real time in the classroom. You can add Whiteboard to your provisioning package in Set up School PCs, on the **Add apps** page. For more information see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package). + +## Week of November 5, 2018 + +### Sync school app inventory from Microsoft Store +During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package). + ## Week of October 15, 2018 diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 0f59dd6be5..a14aa4c69b 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,8 +2,7 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 32c2f71bbb..77b6702db0 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -3,7 +3,6 @@ title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 90bffc1644..f4f62a27f3 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -3,7 +3,6 @@ title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. keywords: school, Windows device setup, education device setup ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index c444c9f842..8cfa0f104d 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -3,7 +3,6 @@ title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. keywords: take a test, test taking, school, policies ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -24,7 +23,7 @@ Take a Test is an app that locks down the PC and displays an online assessment w Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments -Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api). +Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api). ## PC lockdown for assessment diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 3c4d28cb04..c08098f28d 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -3,7 +3,6 @@ title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. keywords: take a test, test taking, school, set up on multiple PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -29,7 +28,7 @@ To configure a dedicated test account on multiple PCs, select any of the followi - [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education) - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager) - [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer) -- [Group Policy to deploy a scheduled task that runs a Powershell script](#set-up-a-test-account-in-group-policy) +- [Group Policy to deploy a scheduled task that runs a Powershell script](https://docs.microsoft.com/education/windows/take-a-test-multiple-pcs#create-a-scheduled-task-in-group-policy) ### Set up a test account in the Set up School PCs app If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. @@ -169,7 +168,7 @@ This sample PowerShell script configures the tester account and the assessment U ``` $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; -$obj.LaunchURI='http://www.foo.com'; +$obj.LaunchURI='https://www.foo.com'; $obj.TesterAccount='TestAccount'; $obj.put() Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount @@ -266,7 +265,7 @@ Once the shortcut is created, you can copy it and distribute it to students. ## Assessment URLs This assessment URL uses our lockdown API: -- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). +- SBAC/AIR: [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/). ## Related topics diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 666b4d00a1..43ab25e727 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -3,7 +3,6 @@ title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. keywords: take a test, test taking, school, set up on single PC ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 7dfc8d1034..bede949a26 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -3,7 +3,6 @@ title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 87afbb458f..b5f3145c61 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -2,8 +2,7 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 +ms.date: 01/05/2018 ms.topic: conceptual --- @@ -24,13 +23,13 @@ ms.topic: conceptual The following article describes how teachers can get and distribute Minecraft: Education Edition. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. -To get started, go to http://education.minecraft.net/ and select **GET STARTED**. +To get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Try Minecraft: Education Edition for Free Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -To learn more and get started, go to http://education.minecraft.net/ and select **GET STARTED**. +To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Purchase Minecraft: Education Edition for Teachers and Students diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 29964738e0..ac962a298b 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -4,7 +4,6 @@ description: Provides guidance on downloading and testing Windows 10 in S mode f keywords: Windows 10 in S mode, try, download, school, education, Windows 10 in S mode installer, existing Windows 10 education devices ms.mktglfcycl: deploy ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium @@ -80,21 +79,21 @@ Check with your device manufacturer before trying Windows 10 in S mode on your d | | | | | - | - | - | -| Acer | Alldocube | American Future Tech | -| ASBISC | Asus | Atec | -| Axdia | Casper | Cyberpower | -| Daewoo | Daten | Dell | -| Epson | EXO | Fujitsu | -| Getac | Global K | Guangzhou | -| HP | Huawei | I Life | -| iNET | Intel | LANIT Trading | -| Lenovo | LG | MCJ | -| Micro P/Exertis | Microsoft | MSI | -| Panasonic | PC Arts | Positivo SA | -| Positivo da Bahia | Samsung | Teclast | -| Thirdwave | Tongfang | Toshiba | -| Trekstor | Trigem | Vaio | -| Wortmann | Yifang | | +| Acer | Alldocube | American Future Tech | +| ASBISC | Asus | Atec | +| Axdia | Casper | Cyberpower | +| Daewoo | Daten | Dell | +| Epson | EXO | Fujitsu | +| Getac | Global K | Guangzhou | +| HP | Huawei | I Life | +| iNET | Intel | LANIT Trading | +| Lenovo | LG | MCJ | +| Micro P/Exertis | Microsoft | MSI | +| Panasonic | PC Arts | Positivo SA | +| Positivo da Bahia | Samsung | Teclast | +| Thirdwave | Tongfang | Toshiba | +| Trekstor | Trigem | Vaio | +| Wortmann | Yifang | | > [!NOTE] > If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ad1e1eb9e2..6a1a7946ef 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -3,7 +3,6 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu @@ -213,22 +212,25 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D 3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment. 4. Click **Next**. -### Recommended apps -Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu. +### Add apps +Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu. - ![Example screenshots of the Add recommended apps screen with recommended app icons and selection boxes. Some apps selected for example purposes.](images/1810_SUSPC_add_apps.png) +If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later. + +After you've made your selections, click **Next**. + + + ![Example screenshots of the Add apps screen with selection of recommended apps and school inventory apps.](images/1812_Add_Apps_SUSPC.png) The following table lists the recommended apps you'll see. |App |Note | |---------|---------| |Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. | +|Microsoft Whiteboard | None| |Minecraft: Education Edition | Free trial| -|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming| -If you receive an error and are unable to add the selected apps, click **Continue without apps**. Contact your IT admin to get these apps later. - ![Example screenshots of the Add recommended apps screen with message that selected apps could not be added. Red rectangles highlight the message and Continue without apps button.](images/1810_SUSPC_app_error.png) ### Personalization Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 77282ce61d..d37d3c1d20 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -3,7 +3,6 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -21,7 +20,7 @@ ms.date: 10/13/2017 Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). -Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](http://www.windows.com/). +Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. diff --git a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md index 899bf80cdd..f36bf3a87b 100644 --- a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md +++ b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md @@ -67,7 +67,7 @@ The following best practices should be considered when sequencing a new applicat   - **Sequence to a unique directory that follows the 8.3 naming convention.** +- **Sequence to a unique directory that follows the 8.3 naming convention.** You should sequence all applications to a directory that follows the 8.3 naming convention. The specified directory name cannot contain more than eight characters, followed by a three-character file name extension—for example, **Q:\\MYAPP.ABC**. diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index ceacdbb6dc..f45c3a42c9 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -14,7 +14,7 @@ ms.date: 07/25/2017 # Deploying Microsoft Office 2016 by Using App-V -Use the information in this article to use Microsoft Application Virtualization 5.0, or later versions, to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md). +Use the information in this article to use Microsoft Application Virtualization 5.0, or later versions, to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md). This topic contains the following sections: @@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an -

    [Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    +

    [Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    Considerations for installing different versions of Office on the same computer

    diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index d2b4fb5e5e..3cf91ddf99 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an -

    [Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    +

    [Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    Considerations for installing different versions of Office on the same computer

    diff --git a/mdop/dart-v10/getting-started-with-dart-10.md b/mdop/dart-v10/getting-started-with-dart-10.md index f301a986ed..daca6358aa 100644 --- a/mdop/dart-v10/getting-started-with-dart-10.md +++ b/mdop/dart-v10/getting-started-with-dart-10.md @@ -14,13 +14,12 @@ ms.date: 08/30/2016 # Getting Started with DaRT 10 -Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. For more information about Microsoft training opportunities, see the Microsoft Training Overview at [https://go.microsoft.com/fwlink/p/?LinkId=80347](https://go.microsoft.com/fwlink/?LinkId=80347). - -**Note**   -A downloadable version of this administrator’s guide is not available. However, you can learn about a special mode of the TechNet Library that allows you to select articles, group them in a collection, and print them or export them to a file at (https://go.microsoft.com/fwlink/?LinkId=272493). - -Additional downloadable information about this product can also be found at . +Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. +>[!NOTE]   +>A downloadable version of this administrator’s guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide. +> +>Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)   ## Getting started with DaRT 10 diff --git a/mdop/docfx.json b/mdop/docfx.json index a6ff6398ef..530722278f 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/mdop/index.md b/mdop/index.md index 757a88fd9a..4764ce169b 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -167,7 +167,7 @@ MDOP is a suite of products that can help streamline desktop deployment, managem MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331). **Purchase MDOP** -Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business. +Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/licensing/how-to-buy/how-to-buy) website to find out how to purchase MDOP for your business.   diff --git a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md index c9e289d2f4..7dffbbbb92 100644 --- a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md +++ b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md @@ -159,7 +159,7 @@ Removable Data Volume encryption status will not be shown in the report.

    Policy-Fixed Data Drive

    -

    Indicates if encryption is required for the dixed data drive.

    +

    Indicates if encryption is required for the fixed data drive.

    Policy Removable Data Drive

    diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md index 76a6a6c45c..37c627b035 100644 --- a/mdop/mbam-v25/mbam-25-security-considerations.md +++ b/mdop/mbam-v25/mbam-25-security-considerations.md @@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL ## Configure MBAM to escrow the TPM and store OwnerAuth passwords -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password. @@ -40,7 +40,7 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP ### Escrowing TPM OwnerAuth in Windows 8 and higher -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine. diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md index f650f130b3..8cf42399fe 100644 --- a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md +++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md @@ -13,32 +13,37 @@ ms.date: 2/16/2018 # Upgrading to MBAM 2.5 SP1 from MBAM 2.5 This topic describes the process for upgrading the Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 and the MBAM Client from 2.5 to MBAM 2.5 SP1. -### Before you begin, download the September 2017 servicing release -[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126) +### Before you begin +#### Download the July 2018 servicing release +[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157) +#### Verify the installation documentaion +Verify you have a current documentation of your MBAM environment, including all server names, database names, service accounts and their passwords. + +### Upgrade steps #### Steps to upgrade the MBAM Database (SQL Server) -1. Using the MBAM Configurator; remove the Reports roll from the SQL server, or wherever the SSRS database is housed (Could be on the same server or different one, depending on your environment) +1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one. Note: You will not see an option to remove the Databases; this is expected.   2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site: 3. Do not configure it at this time  -4. Install the September Rollup: https://www.microsoft.com/en-us/download/details.aspx?id=56126 -5. Using the MBAM Configurator; re-add the Reports rollup +4. Install the July 2018 Rollup: https://www.microsoft.com/download/details.aspx?id=57157 +5. Using the MBAM Configurator; re-add the Reports role 6. This will configure the SSRS connection using the latest MBAM code from the rollup  -7. Using the MBAM Configurator; re-add the SQL Database roll on the SQL Server. -- At the end, you will be warned that the DBs already exist and weren’t created, but this is  expected. +7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server. +- At the end, you will be warned that the DBs already exist and weren’t created, but this is expected. - This process updates the existing databases to the current version being installed       #### Steps to upgrade the MBAM Server (Running MBAM and IIS) 1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server 2. Install MBAM 2.5 SP1 3. Do not configure it at this time   -4. Install the September 2017 Rollup on the IIS server(https://www.microsoft.com/en-us/download/details.aspx?id=56126) +4. Install the July 2018 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=57157) 5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server  -6. This will configure the sites using the latest MBAM code from the June Rollup +6. This will configure the sites using the latest MBAM code from the July 2018 Rollup - Open an elevated command prompt, Type: **IISRESET** and Hit Enter. #### Steps to upgrade the MBAM Clients/Endpoints 1. Uninstall the 2.5 Agent from client endpoints 2. Install the 2.5 SP1 Agent on the client endpoints -3. Push out the September Rollup Client update to clients running the 2.5 SP1 Agent  -4. There is no need to uninstall existing client prior to installing the September Rollup.   +3. Push out the July 2018 Rollup Client update to clients running the 2.5 SP1 Agent  +4. There is no need to uninstall the existing client prior to installing the July 2018 Rollup.   diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md index b183080d0a..bb717d6751 100644 --- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md +++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md @@ -22,7 +22,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa 1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) -2. Run the downloaded file to extract the template folders. +2. Expand the downloaded .cab file by running `expand \MDOP_ADMX_Templates.cab -F:* ` **Warning**   Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file. diff --git a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md index 09f7739c77..d82e263f02 100644 --- a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md @@ -43,7 +43,7 @@ Because settings packages might contain personal information, you should take ca | User account | Recommended permissions | Folder | | - | - | - | - | Creator/Owner | No permissions | No permissions | + | Creator/Owner | Full control | Subfolders and files only| | Domain Admins | Full control | This folder, subfolders, and files | | Security group of UE-V users | List folder/read data, create folders/append data | This folder only | | Everyone | Remove all permissions | No permissions | diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 393503a4e4..db464151f8 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -297,7 +297,7 @@ In this part of the walkthrough, we'll be working on the Microsoft Intune management portal, select **Admin**. -2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. +2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. **Figure 24** - Mobile device management @@ -433,7 +433,7 @@ In the Intune management 2. Log in to the Intune management portal. 3. Select **Groups** and then go to **Devices**. 4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. - - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section. + - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section. - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**. - Check the **AAD Registered** column and confirm that it says **Yes**. diff --git a/store-for-business/images/msft-accept-partner.png b/store-for-business/images/msft-accept-partner.png new file mode 100644 index 0000000000..6b04d822a4 Binary files /dev/null and b/store-for-business/images/msft-accept-partner.png differ diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index d0c8a17014..618205cdd5 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -56,6 +56,7 @@ If your organization restricts computers on your network from connecting to the - windowsphone.com - \*.wns.windows.com - \*.microsoft.com +- \*.s-microsoft.com - www.msftncsi.com (prior to Windows 10, version 1607) - www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 0b88f3f051..2bcdcd39b9 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -13,7 +13,7 @@ ms.date: 10/31/2018 # Microsoft Store for Business and Education release history -Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. +Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) @@ -24,7 +24,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests) ## July 2018 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## June 2018 - **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. @@ -39,7 +39,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. ## March 2018 -- **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) +- **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections) - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. @@ -53,20 +53,20 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. ## December 2017 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## November 2017 - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## September 2017 - **Manage Windows device deployment with Windows Autopilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md) -- **Request an app** - People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) +- **Request an app** - People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) - **My organization** - **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account. -- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. +- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redeeming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. - **Manage Office 365 subscriptions acquired by partners** - Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. - **Edge extensions in Microsoft Store** - Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. -- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. \ No newline at end of file +- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 39896e6c80..45d4c68486 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -28,7 +28,7 @@ We’ve been working on bug fixes and performance improvements to provide you a |-----------------------|---------------------------------| | ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**

    We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

    [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | | | **Manage Windows device deployment with Windows Autopilot Deployment**

    In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.

    [Get more info](add-profile-to-devices.md)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | -| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

    People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

    [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | +| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

    People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

    [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | || ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**

    You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.

    [Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | --> @@ -69,7 +69,7 @@ We’ve been working on bug fixes and performance improvements to provide you a - Microsoft Product and Services Agreement customers can invite people to take roles [December 2017](release-history-microsoft-store-business-education.md#december-2017) -- Bug fixes and permformance improvements +- Bug fixes and performance improvements [November 2017](release-history-microsoft-store-business-education.md#november-2017) - Export list of Minecraft: Education Edition users diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md index f364728d57..0f30df6697 100644 --- a/store-for-business/work-with-partner-microsoft-store-business.md +++ b/store-for-business/work-with-partner-microsoft-store-business.md @@ -20,7 +20,7 @@ The process goes like this: - Admins find and contact a solution provider using **Find a solution provider** in Microsoft Store for Business. - Solution providers send a request from Partner center to customers to become their solution provider. - Customers accept the invitation in Microsoft Store for Business and start working with the solution provider. -- Customers can manage setting for the relationship with Partner in Microsoft Store for Business. +- Customers can manage settings for the relationship with Partner in Microsoft Store for Business. ## What can a solution provider do for my organization or school? @@ -59,9 +59,11 @@ The solution provider will get in touch with you. You'll have a chance to learn Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions. **To accept a solution provider invitation** -1. **Follow email link** - You'll receive an email with a link accept the solution provider invitation. The link will take you to Microsoft Store for Business or Education. +1. **Follow email link** - You'll receive an email with a link to accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education. 2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider. - + +![Image shows accepting an invitation from a solution provider in Microsoft Store for Business.](images/msft-accept-partner.png) + ## Delegate admin privileges Depending on the request made by the solution provider, part of accepting the invitation will include agreeing to give delegated admin privileges to the solution provider. This will happen when the solution provider request includes acting as a delegated administrator. For more information, see [Delegated admin privileges in Azure AD](https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad). @@ -76,4 +78,4 @@ If you delegate admin privileges to a solution provider, you can remove that lat 3. Choose the Partner you want to manage. 4. Select **Remove Delegated Permissions**. -The solution provider will still be able to work with you, for example, as a Reseller. \ No newline at end of file +The solution provider will still be able to work with you, for example, as a Reseller. diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 4d805de5fe..f27666d0fd 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "justinha", - "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-access-protection" diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 9ef9c0bee3..63d64c67b1 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -309,7 +309,7 @@ The following table shows local and roaming locations when folder redirection ha The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. Here's what happens during the process: 1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory. -2. If the roaming AppData path is local or ino AppData\\Roaming location is mapped, nothing happens. +2. If the roaming AppData path is local or no AppData\\Roaming location is mapped, nothing happens. 3. If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory. This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things: @@ -399,7 +399,7 @@ The process then configures the client for package or connection group additions 7. Create the **Registry.dat** file from the package store to **%ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat**. - 8. Register the package with the App-V Kernal Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**. + 8. Register the package with the App-V Kernel Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**. 9. Invoke scripting from the **AppxManifest.xml** or **DeploymentConfig.xml** file for Package Add timing. diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 324dc031b3..b4bd1c4426 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -80,7 +80,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* ## Update multiple apps with the App-V Sequencer interface -Updating multipe apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. +Updating multiple apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. ### Create your ConfigFile for use by the App-V Sequencer interface @@ -93,7 +93,7 @@ Updating multipe apps at the same time requires that you create a **ConfigFile** - ``````. The file name for the app executable. This will typically be an .exe or .msi file. - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps. - ``````. The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. - ``````. Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. **Example:** diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 4eb8944558..8fef0869e5 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -182,7 +182,7 @@ Discounting scaling and fault-tolerance requirements, the minimum number of serv Ignoring scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure. -Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatabilities could cause certain fault-tolerance options to stop working. +Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatibilities could cause certain fault-tolerance options to stop working. ## Have a suggestion for App-V? diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index 8ecf438180..1e827161ce 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -14,7 +14,7 @@ ms.date: 04/18/2018 The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). -You can use Group Policy to configure App-V client settings by navigating to the **Group Policy managment console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. +You can use Group Policy to configure App-V client settings by navigating to the **Group Policy management console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. ## App-V Client Configuration Settings: Windows PowerShell diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index 06c74f260d..ad317ada6d 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -95,7 +95,7 @@ You can use the connection group file to configure each connection group by usin The priority field is required when a running virtual application initiates from a native application request, such as Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups. -If a virtual application is opened using another virtual application, the client will use the orignal virtual application's virtual environment. The priority field is not used in this case. +If a virtual application is opened using another virtual application, the client will use the original virtual application's virtual environment. The priority field is not used in this case. The following is an example of priority configuration: diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 19b27e45f8..58ccffc7a8 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -24,7 +24,7 @@ Here are some important things to know before you get started: - If you add user-published packages in globally entitled connection groups, the connection group will fail. - Track the connection groups where you've used a non-optional package before removing it with the **Unpublish-AppvClientPackage <package> -global** cmdlet. - In situations where you have a gobally published package that's listed as non-optional in a user-published connection group that also appears in other packages, running **Unpublish-AppvClientPackage <package> -global** cmdlet can unpublish the package from every connection group containing that package. Tracking connection groups can help you avoid unintentionally unpublishing non-optional packages. + In situations where you have a globally published package that's listed as non-optional in a user-published connection group that also appears in other packages, running **Unpublish-AppvClientPackage <package> -global** cmdlet can unpublish the package from every connection group containing that package. Tracking connection groups can help you avoid unintentionally unpublishing non-optional packages. ## How to use Windows PowerShell cmdlets to create user-entitled connection groups diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 7dbb8d0e48..a2b8ba9569 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -413,12 +413,11 @@ To use a custom instance of Microsoft SQL Server, use these parameters: ### Example for using a custom instance of Microsoft SQL Server for installing the Reporting database on a different computer than the Reporting server ```SQL -Using a custom instance of Microsoft SQL Server example:
    -/appv_server_setup.exe /QUIET
    -/DB_PREDEPLOY_REPORTING
    -/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName"
    -/REPORTING_DB_NAME="AppVReporting"
    -/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount"
    +/appv_server_setup.exe /QUIET +/DB_PREDEPLOY_REPORTING +/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" +/REPORTING_DB_NAME="AppVReporting" +/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" ``` diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 35d2485f4b..ca909f8764 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -255,7 +255,7 @@ Deploy the App-V package for Office 2013 by using the same methods you use for a ### How to publish an Office package -Run the following command to publish an Office package globally, wtih the bracketed value replaced by the path to the App-V package: +Run the following command to publish an Office package globally, with the bracketed value replaced by the path to the App-V package: ```PowerShell Add-AppvClientPackage | Publish-AppvClientPackage –global diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index e979c7f02f..6efc162994 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -12,7 +12,7 @@ ms.date: 04/18/2018 >Applies to: Windows 10, version 1607 -This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorites while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. +This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. |Status|Task|References|Notes| |---|---|---|---| diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index e0b0f8d0f6..2669aedab4 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -186,7 +186,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate ``` -**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this susbsystem). The following is an example of a FileType association: +**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this subsystem). The following is an example of a FileType association: ```xml @@ -252,7 +252,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate ``` -**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” ptrotocol. +**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol. ```xml diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 2da4a3b2f6..5a78399b06 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -16,7 +16,7 @@ To install the management server on a standalone computer and connect it to the 1. Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. 2. On the **Getting Started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Udpate, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. +3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. 4. On the **Feature Selection** page, select the **Management Server** checkbox, then select **Next**. 5. On the **Installation Location** page, accept the default location, then select **Next**. 6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```. diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index faf22cca11..1d0c56f4bd 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -587,7 +587,7 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins **Client Side**: -When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Insataller (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur. +When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur. @@ -618,7 +618,7 @@ When publishing a virtual application package, the App-V Client will detect if a   -### Disabling a Dynamic Configuration by using Windows Powershell +### Disabling a Dynamic Configuration by using Windows PowerShell - For already published packages, you can use `Set-AppVClientPackage –Name Myapp –Path c:\Packages\Apps\MyApp.appv` without @@ -725,7 +725,7 @@ The following terms are used when describing concepts and actions related to App - From the point that users initiate a log-in to when they are able to manipulate the desktop. - - From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows Powershell commands are initiated. + - From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows PowerShell commands are initiated. - From start to completion of the publishing refresh. In standalone instances, this is the first to last virtual application published. diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 7665805a14..6bb1dfd140 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -37,7 +37,7 @@ For more information, see [Application publishing and client interaction](appv-a ## Unsupported scenarios for App-V folder redirection -The following scenatios aren't supported by App-V: +The following scenarios aren't supported by App-V: * Configuring %LocalAppData% as a network drive. * Redirecting the Start menu to a single folder for multiple users. diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index f83bdfa3f4..0fa930006c 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -77,7 +77,7 @@ The connection string on the management server can be modified to include ```fai Use the following steps to modify the connection string to include ```failover partner = ```: >[!IMPORTANT] ->This process involves changing the Windows registry with Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. Always make a backup copy of the registry files (**System.dat** and **User.dat**) before chagning the registry. Microsoft can't guarantee that problems caused by changing the registry can be resolved, so change the registry at your own risk. +>This process involves changing the Windows registry with Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. Always make a backup copy of the registry files (**System.dat** and **User.dat**) before changing the registry. Microsoft can't guarantee that problems caused by changing the registry can be resolved, so change the registry at your own risk. 1. Log in to the management server and open **regedit**. 2. Navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ManagementService**. diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index bcc0dd487f..15b715780d 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -30,7 +30,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac 3. Take a “snapshot” of the environment. >[!IMPORTANT] ->Your corporate security team should review and approve the sequencing process plan before implementing it. For security reasons, it's a good idea to keep sequencer operations in a lab separate from the production environment. The sequencing computers must be capapble of connecting to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they shouldn't remail on the corporate network unprotected. You can protect your sequencing computers by operating them on an isolated network, behind a firewall, or by using virtual machines on an isolated virtual network. Make sure your solution follows your company's corporate security policies. +>Your corporate security team should review and approve the sequencing process plan before implementing it. For security reasons, it's a good idea to keep sequencer operations in a lab separate from the production environment. The sequencing computers must be capable of connecting to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they shouldn't remain on the corporate network unprotected. You can protect your sequencing computers by operating them on an isolated network, behind a firewall, or by using virtual machines on an isolated virtual network. Make sure your solution follows your company's corporate security policies. ## Planning for App-V client deployment diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 285bffe2fc..84ec8aeb47 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -26,7 +26,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click). >[!NOTE] ->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744). +>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744). ## Using App-V with coexisting versions of Office @@ -90,7 +90,7 @@ To bypass the auto-registration operation for native Word 2010, follow these ste * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key. - If you're prompted for an administrator password, enter the password. If you're propmted for a confirmation, select **Continue**. + If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**. 3. Locate and then select the following registry subkey: ``` syntax diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index e29423c9c8..e91afa8136 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -60,7 +60,7 @@ Consider the following additional information: The following will help you plan how to ensure that virtualized packages are secure. -* If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. If thje file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory does not exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**. +* If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory does not exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**. ## App-V log files diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index 46b0feb4f1..42f52aa7d4 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -84,7 +84,7 @@ In your publishing metadata query, enter the string values that correspond to th - + diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 5ee9f992a3..afa48aee66 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,134 +8,39 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 08/23/2018 +ms.date: 12/12/2018 --- # Understand the different apps included in Windows 10 +>Applies to: Windows 10 + The following types of apps run on Windows 10: - Windows apps - introduced in Windows 8, primarily installed from the Store app. - Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. - "Win32" apps - traditional Windows applications. Digging into the Windows apps, there are two categories: -- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. -- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: +- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: - Provisioned: Installed in user account the first time you sign in with a new user account. - Installed: Installed as part of the OS. +- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. -> [!TIP] -> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: -> ```powershell -> Get-AppxPackage | select Name,PackageFamilyName -> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName -> ``` - -## System apps - -System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. - -| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? | -|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------| -| Cortana UI | CortanaListenUIApp | x | | |No | -| | Desktop Learning | x | | |No | -| | DesktopView | x | | |No | -| | EnvironmentsApp | x | | |No | -| Mixed Reality + | HoloCamera | x | | |No | -| Mixed Reality + | HoloItemPlayerApp | x | | |No | -| Mixed Reality + | HoloShell | x | | |No | -| | InputApp | | x | x |No | -| | Microsoft.AAD.Broker.Plugin | x | x | x |No | -| | Microsoft.AccountsControl | x | x | x |No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | -| | Microsoft.CredDialogHost | x | x | x |No | -| | Microsoft.ECApp | | x | x |No | -| | Microsoft.LockApp | x | x | x |No | -| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No | -| | Microsoft.PPIProjection | x | x | x |No | -| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No | -| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No | -| | Microsoft.Windows. CloudExperienceHost | x | x | x |No | -| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No | -| Cortana | Microsoft.Windows.Cortana | x | x | x |No | -| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No | -| | Microsoft.Windows. ModalSharePickerHost | x | | |No | -| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No | -| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No | -| | Microsoft.Windows. ParentalControls | x | x | x |No | -| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No | -| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No | -| | Microsoft.Windows. SecHealthUI | x | x | x |No | -| | Microsoft.Windows. SecondaryTileExperience | x | x | |No | -| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No | -| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | -| | Microsoft.XboxGameCallableUI | x | x | x |No | -| Contact Support* | Windows.ContactSupport | x | * | |Via Optional Features app | -| Settings | Windows.ImmersiveControlPanel | x | x | |No | -| Connect | Windows.MiracastView | x | | |No | -| Print 3D | Windows.Print3D | | x | |Yes | -| Print UI | Windows.PrintDialog | x | x | x |No | -| Purchase UI | Windows.PurchaseDialog | | | x |No | -| | Microsoft.AsyncTextService | | | x |No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | -| | Microsoft.Win32WebViewHost | | | x |No | -| | Microsoft.Windows.CapturePicker | | | x |No | -| | Windows.CBSPreview | | | x |No | -|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | -|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | -|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | -|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | - -> [!NOTE] -> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). - -## Installed Windows apps - -Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. - -| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:| -| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | -| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | -| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | -| Flipboard | | | | | Yes | -| | Microsoft.Advertising.Xaml | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes | -| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes | -| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes | -| | Microsoft.Services.Store.Engagement | | x | x | Yes | -| | Microsoft.VCLibs.120.00 | x | x | x | Yes | -| | Microsoft.VCLibs.140.00 | x | x | x | Yes | -| | Microsoft.VCLibs.120.00.Universal | | x | | Yes | -| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | -| | Microsoft.WinJS.2.0 | x | | | Yes | ---- ## Provisioned Windows apps Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. -``` -> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName -``` +> [!TIP] +> You can list all provisioned Windows apps with this PowerShell command: +> ``` +> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +> ``` + +
    | Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? | |----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| @@ -152,7 +57,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an | Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No | | Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | | Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | @@ -182,7 +87,110 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an | Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | ---- + >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. + +## System apps + +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. + +> [!TIP] +> You can list all system apps with this PowerShell command: +> ``` +> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +> ``` + +
    + +| Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? | +|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| +| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No | +| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x | No | +| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x | No | +| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | | x | No | +| | InputApp | | x | x | No | +| Cortana UI | CortanaListenUIApp | x | | | No | +| | Desktop Learning | x | | | No | +| | DesktopView | x | | | No | +| | EnvironmentsApp | x | | | No | +| Mixed Reality + | HoloCamera | x | | | No | +| Mixed Reality + | HoloItemPlayerApp | x | | | No | +| Mixed Reality + | HoloShell | x | | | No | +| | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| | Microsoft.AccountsControl | x | x | x | No | +| | Microsoft.AsyncTextService | | | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | x | x | x | No | +| | Microsoft.ECApp | | x | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | | x | No | +| | Microsoft.PPIProjection | x | x | | No | +| | Microsoft.Win32WebViewHost | | | x | No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows.CapturePicker | | | x | No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | +| | Microsoft.Windows.ModalSharePickerHost | x | | | No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | +| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | +| | Microsoft.Windows.ParentalControls | x | x | x | No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x | No | +| | Microsoft.Windows.PinningConfirmationDialog | | x | x | No | +| | Microsoft.Windows.SecHealthUI | x | x | x | No | +| | Microsoft.Windows.SecondaryTileExperience | x | x | | No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | * | * | | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| | Windows.CBSPreview | | | x | No | +| Contact Support* | Windows.ContactSupport | x | * | | Via Settings App | +| Settings | Windows.immersivecontrolpanel | x | x | x | No | +| Connect | Windows.MiracastView | x | | | No | +| Print 3D | Windows.Print3D | | x | | Yes | +| Print UI | Windows.PrintDialog | x | x | x | No | +| Purchase UI | Windows.PurchaseDialog | | | | No | + + +> [!NOTE] +> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). + +## Installed Windows apps + +Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. + +| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| +| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | +| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | +| Flipboard | | | | | Yes | +| | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes | +| | Microsoft.Services.Store.Engagement | | x | x | Yes | +| | Microsoft.VCLibs.120.00 | x | x | x | Yes | +| | Microsoft.VCLibs.140.00 | x | x | x | Yes | +| | Microsoft.VCLibs.120.00.Universal | | x | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | +| | Microsoft.WinJS.2.0 | x | | | Yes | --- \ No newline at end of file diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md index 13e16012bd..37099073f8 100644 --- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md +++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md @@ -20,7 +20,7 @@ There are two steps to deploy an app upgrade: 1. [Define the supersedence](#define-app-supersedence) - this lets Configuration Manager know that the old version should be replaced by the new version. 2. [Deploy the upgrade](#deploy-the-app-upgrade) to your users. -The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Becasuse we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app. +The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Because we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app. Before you can deploy the upgrade, make sure you import the new version of the app and distribute it to your manage.microsoft.com distribution point. @@ -42,7 +42,7 @@ Before you can deploy the upgrade, make sure you import the new version of the a > Do **NOT** select **Uninstall**. This tells Configuration Manager to uninstall the old version, but it does **NOT** then install the new version. 6. Click **OK**. -7. If you have other versions of the same app, repeate steps 4-6 for each version. Click **OK** when you're done. +7. If you have other versions of the same app, repeat steps 4-6 for each version. Click **OK** when you're done. > [!NOTE] > Need to remove a supersedence? (Maybe the new version turned out to be flaky and you don't want users to get it yet.) On the **Supersedence** tab for the *new* version of the app, double-click the older version in the list of supersedence rules, and then change the **New Deployment Type** to **Do not replace**. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 7d3ae2dae2..5c20bbd8a7 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "elizapo", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 92024688fb..0197cc67d9 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -8,228 +8,30 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: mikeblodge ms.topic: article -ms.date: 10/18/2018 +ms.date: 12/03/2018 --- # Repackage existing win32 applications to the MSIX format -The MSIX Packaging Tool 1.2018.1005.0 is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store. +MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format. -> Prerequisites: +You can either run your installer interactively (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store. + +- [Package your favorite application installer](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format. +- Create a [modification package](https://docs.microsoft.com/windows/msix/packaging-tool/package-editor) to update an existing MSIX package. +- [Bundle multiple MSIX packages](https://docs.microsoft.com/windows/msix/packaging-tool/bundle-msix-packages) for distribution. + +## Installing the MSIX Packaging Tool + +### Prerequisites - Windows 10, version 1809 (or later) - Participation in the Windows Insider Program (if you're using an Insider build) - A valid Microsoft account (MSA) alias to access the app from the Microsoft Store - Admin privileges on your PC account -## Installing the MSIX Packaging Tool +### Get the app from the Microsoft Store 1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). 2. Open the product description page. -3. Click the install icon to begin installation. - -Here is what you can expect to be able to do with this tool: - -- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. -- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. -- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. - -## Creating an application package using the Command line interface -To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. - -Here are the parameters that can be passed as command line arguments: - - -|Parameter |Description | -|---------|---------| -|-?
    --help | Show help information | -|--template | [required] path to the conversion template XML file containing package information and settings for this conversion | -|--virtualMachinePassword | [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true. | - -Examples: - -- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml -- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893 - -## Creating an application package using virtual machines - -You can select to perform the packaging steps on a virtual machine. To do this: -- Click on Application package and select “Create package on an existing virtual machine” in the select environment page. -- The tool will then query for existing Virtual machines and allows you to select one form a drop down menu. -- Once a VM is selected the tool will ask for user and password. The username field accepts domain\user entries as well. - -When using local virtual machines as conversion environment, the tool leverages an authenticated remote PowerShell connection to configure the virtual machine. A lightweight WCF server then provides bidirectional communication between the host and target environment. - -Requirements: -- Virtual Machine need to have PSRemoting enabled. (Enable-PSRemoting command should be run on the VM) -- Virtual Machine needs to be configured for Windows Insider Program similar to the host machine. Minimum Windows 10 build 17701 - - -## Conversion template file - - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Conversion template parameter reference -Here is the complete list of parameters that you can use in the Conversion template file. When a virtual machine is conversion environment, all file paths(installer, savelocation, etc) should be declared relative to the host, where the tool is running) - - -|ConversionSettings entries |Description | -|---------|---------| -|Settings:: AllowTelemetry |[optional] Enables telemetry logging for this invocation of the tool. | -|Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. | -|Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. | -|Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. | -|Settings:: EnforceMicrosoftStoreVersioningRequirements|[optional] Instructs the tool to enforce the package versioning scheme required for deployment from Microsoft Store and Microsoft Store for Business.| -|ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. | -|ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. | -|ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. | -|ExclusionItems::RegistryExclusion |[optional] A registry key to exclude for packaging. | -|ExclusionItems::RegistryExclusion:: ExcludePath |Path to registry to exclude for packaging. | -|PrepareComputer::DisableDefragService |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|PrepareComputer:: DisableWindowsSearchService |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|PrepareComputer:: DisableSmsHostService |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|PrepareComputer:: DisableWindowsUpdateService |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|SaveLocation |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder. | -|SaveLocation::PackagePath |[optional] The path to the file or folder where the resulting MSIX package is saved. | -|SaveLocation::TemplatePath |[optional] The path to the file or folder where the resulting CLI template is saved. | -|Installer::Path |The path to the application installer. | -|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””. | -|Installer::InstallLocation |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation"). | -|VirtualMachine |[optional] An element to specify that the conversion will be run on a local Virtual Machine. | -|VrtualMachine::Name |The name of the Virtual Machine to be used for the conversion environment. | -|VirtualMachine::Username |[optional] The user name for the Virtual Machine to be used for the conversion environment. | -|PackageInformation::PackageName |The Package Name for your MSIX package. | -|PackageInformation::PackageDisplayName |The Package Display Name for your MSIX package. | -|PackageInformation::PublisherName |The Publisher for your MSIX package. | -|PackageInformation::PublisherDisplayName |The Publisher Display Name for your MSIX package. | -|PackageInformation::Version |The version number for your MSIX package. | -|PackageInformation:: MainPackageNameForModificationPackage |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application. | -|Applications |[optional] 0 or more Application elements to configure the Application entries in your MSIX package. | -|Application::Id |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package | -|Application::ExecutableName |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected. | -|Application::Description |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName | -|Application::DisplayName |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName | -|Capabilities |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion. | -|Capability::Name |The capability to add to your MSIX package. | - -## Delete temporary conversion files using Command line interface -To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window. - -Example: -- MsixPackagingTool.exe cleanup - -## How to file feedback - -Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. - -## Best practices - -- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. -- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. -- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. -- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. - -## Known issues -- MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. -- Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. -- Setting **EnforceMicrosoftStoreVersioningRequirements=true**, when using the command line interface, will throw an error, even if the vesrion is set correctly. To work around this issue, use **EnforceMicrosoftStoreVersioningRequirements=false** in the conversion template file. -- Adding files to MSIX packages in package editor does not add the file to the folder that the user right-clicks. To work around this issue, ensure that the file being added is in the correct classic app location. For example if you want to add a file in the VFS\ProgramFilesx86\MyApp folder, copy the file locally to your C:\Program Files (86)\MyApp location first, then in the package editor right-click **Package files**, and then click **Add file**. Browse to the newly copied file, then click **Save**. +3. Click the install icon to begin installation. \ No newline at end of file diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index ca43f5a4ed..e2c31b7f81 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -68,7 +68,7 @@ For example, this is the registry key configuration for BFE: ## Memory footprint -Be aware that separating services increases the total number of SvcHost instances, which increases memory utlization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) +Be aware that separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) Consider the following: diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 93b1e53290..d3c28bfc73 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -12,8 +12,19 @@ ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md) -### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) -### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) -### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +### [Advanced troubleshooting for Windows networking](troubleshoot-networking.md) +#### [Advanced troubleshooting Wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +#### [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md) +##### [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md) +#### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) +##### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +##### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +##### [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md) +##### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) +### [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) +#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) +#### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md) +#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md) +#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index b1ab9770a3..24681f6db4 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -1,87 +1,118 @@ --- -title: Advanced Troubleshooting 802.1x Authentication -description: Learn how 802.1x Authentication works -keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi +title: Advanced Troubleshooting 802.1X Authentication +description: Learn how 802.1X Authentication works +keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi ms.prod: w10 ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium -ms.author: mikeblodge -ms.date: 10/29/2018 +ms.author: greg-lindsay --- -# Advanced Troubleshooting 802.1x Authentication +# Advanced troubleshooting 802.1X authentication ## Overview -This is a general troubleshooting of 802.1x wireless and wired clients. With -802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution. + +This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution. -### Scenarios +## Scenarios + This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. -### Known Issues -N/A - -### Data Collection -[Advanced Troubleshooting 802.1x Authentication Data Collection](https://docs.microsoft.com/en-us/windows/client-management/data-collection-for-802-authentication) - -### Troubleshooting -- Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications. +## Known Issues -NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default. -Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts. +None -In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it. +## Data Collection + +See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md). -![example of an audit failure](images/auditfailure.png) -*Example: event ID 6273 (Audit Failure)* +## Troubleshooting + +Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. + +NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy). + +Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. + +In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it. + + ![example of an audit failure](images/auditfailure.png) + *Example: event ID 6273 (Audit Failure)*

    ‎ -![example of an audit success](images/auditsuccess.png) -*Example: event ID 6272 (Audit Success)* + ![example of an audit success](images/auditsuccess.png) + *Example: event ID 6272 (Audit Success)*
    -‎ -- The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. -On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational). +On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example: ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) -- Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). +Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). -First, make sure which type of EAP method is being used. +First, validate the type of EAP method being used: ![eap authentication type comparison](images/comparisontable.png) -- If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below. +If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu: ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) -- The CAPI2 event log will be useful for troubleshooting certificate-related issues. -This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu. +The CAPI2 event log will be useful for troubleshooting certificate-related issues. +This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**. -![screenshot of event viewer](images/eventviewer.png) +![screenshot of event viewer](images/capi.png) -You can refer to this article about how to analyze CAPI2 event logs. -[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29) -For detailed troubleshooting 802.1X authentication issues, it's important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication. +The following article explains how to analyze CAPI2 event logs: +[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). -![aithenticatior flow chart](images/authenticator_flow_chart.png) - -- If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side. - -> [!NOTE] -> info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied. +When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: + +![authenticatior flow chart](images/authenticator_flow_chart.png) +If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: ![client-side packet capture data](images/clientsidepacket_cap_data.png) -*Client-side packet capture data* +*Client-side packet capture data*

    ![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) -*NPS-side packet capture data* -‎ +*NPS-side packet capture data*
    +‎ + +> [!NOTE] +> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below. + +![ETL parse](images/etl.png) + +## Audit policy + +NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. + +View the current audit policy settings by running the following command on the NPS server: +``` +auditpol /get /subcategory:"Network Policy Server" +``` + +If both success and failure events are enabled, the output should be: +
    +System audit policy
+Category/Subcategory                      Setting
+Logon/Logoff
+  Network Policy Server                   Success and Failure
+
    + +If it shows ‘No auditing’, you can run this command to enable it: + +``` +auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable +``` + +Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**. + ## Additional references -[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx) -[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx) +[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
    +[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md new file mode 100644 index 0000000000..207d12b5d3 --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -0,0 +1,389 @@ +--- +title: Advanced troubleshooting for Windows boot problems +description: Learn how to troubleshoot when Windows is unable to boot +ms.prod: w10 +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 11/16/2018 +--- + +# Advanced troubleshooting for Windows boot problems + +>[!NOTE] +>This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415). + +## Summary + +There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: + +| **Phase** | **Boot Process** | **BIOS** | **UEFI** | +|--------|----------------------|------------------------------| | +| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | +| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | +| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | +| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | + + +**1. PreBoot** + +The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot +Manager. + +**2. Windows Boot Manager** + +Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. + +**3. Windows operating system loader** + +Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. + +**4. Windows NT OS Kernel** + +The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START. + +The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START. + +Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. + +![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)
    +[Click to enlarge](img-boot-sequence.md)
    + + + + +Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases. + +>[!NOTE] +>If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle: +> +>`Bcdedit /set {default} recoveryenabled no` +> +>If the F8 options don't work, run the following command: +> +>`Bcdedit /set {default} bootmenupolicy legacy` + + +## BIOS phase + +To determine whether the system has passed the BIOS phase, follow these steps: + +1. If there are any external peripherals connected to the computer, disconnect them. +2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. +3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. + +If the system is stuck at the BIOS phase, there may be a hardware problem. + +## Boot loader phase + +If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase: + +- Boot Configuration Data (BCD) missing or corrupted +- Boot file or MBR corrupted +- Operating system Missing +- Boot sector missing or corrupted +- Bootmgr missing or corrupted +- Unable to boot due to system hive missing or corrupted + +To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods. + + +### Method 1: Startup Repair tool + +The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. + +To do this, follow these steps. + +>[!NOTE] +>For additional methods to start WinRE, see [Entry points into WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). + +1. Start the system to the installation media for the installed version of Windows. + **Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088). + +2. On the **Install Windows** screen, select **Next** > **Repair your computer**. + +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. + +4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly. + +The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location: + +**%windir%\System32\LogFiles\Srt\Srttrail.txt** + + +For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) + + +### Method 2: Repair Boot Codes + +To repair boot codes, run the following command: + +```dos +BOOTREC /FIXMBR +``` + +To repair the boot sector, run the following command: + +```dos +BOOTREC /FIXBOOT +``` + +>[!NOTE] +>Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem. + +### Method 3: Fix BCD errors + +If you receive BCD-related errors, follow these steps: + +1. Scan for all the systems that are installed. To do this, run the following command: + ```dos + Bootrec /ScanOS + ``` + +2. Restart the computer to check whether the problem is fixed. + +3. If the problem is not fixed, run the following command: + ```dos + Bootrec /rebuildbcd + ``` + +4. You might receive one of the following outputs: + + - Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0 + The operation completed successfully. + + - Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1 + D:\Windows + Add installation to boot list? Yes/No/All: + +If the output shows **windows installation: 0**, run the following commands: + +```dos +bcdedit /export c:\bcdbackup + +attrib c:\\boot\\bcd -h -r –s + +ren c:\\boot\\bcd bcd.old + +bootrec /rebuildbcd +``` + +After you run the command, you receive the following output: + + Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows +Add installation to boot list? Yes/No/All: Y + +5. Try again to start the system. + +### Method 4: Replace Bootmgr + +If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps: + +1. At a command prompt, change the directory to the System Reserved partition. + +2. Run the **attrib** command to unhide the file: + ```dos + attrib-s -h -r + ``` + +3. Run the same **attrib** command on the Windows (system drive): + ```dos + attrib-s -h –r + ``` + +4. Rename the Bootmgr file as Bootmgr.old: + ```dos + ren c:\\bootmgr bootmgr.old + ``` + +5. Start a text editor, such as Notepad. + +6. Navigate to the system drive. + +7. Copy the Bootmgr file, and then paste it to the System Reserved partition. + +8. Restart the computer. + +### Method 5: Restore System Hive + +If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. + +If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. + + +## Kernel Phase + +If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: + +- A Stop error appears after the splash screen (Windows Logo screen). + +- Specific error code is displayed. + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. + (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror)) + +- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. + +- A black screen appears after the splash screen. + +To troubleshoot these problems, try the following recovery boot options one at a time. + +**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration** + +On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps: + +1. Use one of the following methods to open Event Viewer: + + - Click **Start**, point to **Administrative Tools**, and then click + **Event Viewer**. + + - Start the Event Viewer snap-in in Microsoft Management Console (MMC). + +2. In the console tree, expand Event Viewer, and then click the log that you + want to view. For example, click **System log** or **Application log**. + +3. In the details pane, double-click the event that you want to view. + +4. On the **Edit** menu, click **Copy**, open a new document in the program in + which you want to paste the event (for example, Microsoft Word), and then + click **Paste**. + +5. Use the Up Arrow or Down Arrow key to view the description of the previous + or next event. + + +### Clean boot + +To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). +Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party. + +Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. + +For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows). + +If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement: +[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/) + +>[!NOTE] +>If the computer is a domain controller, try Directory Services Restore mode (DSRM). +> +>This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2" + + +**Examples** + +>[!WARNING] +>Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these +problems can be solved. Modify the registry at your own risk. + +*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)* + +To troubleshoot this Stop error, follow these steps to filter the drivers: + +1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version. + +2. Open the registry. + +3. Load the system hive, and name it as "test." + +4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers: + + **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class** + +5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data. + +6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive. + +7. Restart the server in Normal mode. + +For additional troubleshooting steps, see the following articles: + +- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/) + +- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103). + +To fix problems that occur after you install Windows updates, check for pending updates by using these steps: + +1. Open a Command Prompt winodw in WinRE. + +2. Run the command: + ```dos + dism /image:C:\ /get-packages + ``` + +3. If there are any pending updates, uninstall them by running the following commands: + ```dos + DISM /image:C:\ /remove-package /packagename: name of the package + ``` + ```dos + Dism /Image:C:\ /Cleanup-Image /RevertPendingActions + ``` + +Try to start the computer. + +If the computer does not start, follow these steps: + +1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. + +2. Navigate to the system drive, and search for windows\winsxs\pending.xml. + +3. If the Pending.xml file is found, rename the file as Pending.xml.old. + +4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test. + +5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value. + +6. If the **pendingxmlidentifier** value exists, delete the value. + +7. Unload the test hive. + +8. Load the system hive, name it as "test". + +9. Navigate to the following subkey: + + **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller** + +10. Change the **Start** value from **1** to **4** + +11. Unload the hive. + +12. Try to start the computer. + +If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article: + +- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 + +For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article: + +- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows + +For more information about Stop errors, see the following Knowledge Base article: + +- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros + + +If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: + +- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. + +- If the driver is not important and has no dependencies, load the system hive, and then disable the driver. + +- If the stop error indicates system file corruption, run the system file checker in offline mode. + - To do this, open WinRE, open a command prompt, and then run the following command: + ```dos + SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows + ``` + For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/) + + - If there is disk corruption, run the check disk command: + ```dos + chkdsk /f /r + ``` + + - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: + + 1. Start WinRE, and open a Command Prompt window. + 2. Start a text editor, such as Notepad. + 3. Navigate to C\Windows\System32\Config\. + 4. Rename the all five hives by appending ".old" to the name. + 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 5647279113..412bbb99bc 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -7,30 +7,31 @@ ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium -ms.author: mikeblodge -ms.date: 10/29/2018 +ms.author: greg-lindsay --- -# Advanced Troubleshooting Wireless Network Connectivity + +# Advanced troubleshooting wireless network connectivity > [!NOTE] > Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems). ## Overview -This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients. + +This is a general troubleshooting of establishing Wi-Fi connections from Windows clients. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found. This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario. ## Scenarios -Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. +This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. > [!NOTE] -> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario. +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario. -Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. +Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. -The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem. +The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem. ### Known Issues and fixes ** ** @@ -41,6 +42,7 @@ The intention of this troubleshooter is to show how to find a starting point in | **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) | Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system: +- [Windows 10 version 1809](https://support.microsoft.com/help/4464619) - [Windows 10 version 1803](https://support.microsoft.com/help/4099479) - [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454) - [Windows 10 version 1703](https://support.microsoft.com/help/4018124) @@ -50,35 +52,47 @@ Make sure that you install the latest Windows updates, cumulative updates, and r - [Windows Server 2012](https://support.microsoft.com/help/4009471) - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469) -### Data Collection -1. Network Capture with ETW. Use the following command: +## Data Collection - **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl** +1. Network Capture with ETW. Enter the following at an elevated command prompt: -2. Reproduce the issue if: - - There is a failure to establish connection, try to manually connect - - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures) - - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. - - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). + ``` + netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl + ``` +2. Reproduce the issue. + - If there is a failure to establish connection, try to manually connect. + - If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure. + - If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. + - If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). +3. Stop the trace by entering the following command: + + ``` + netsh trace stop + ``` +4. To convert the output file to text format: + + ``` + netsh trace convert c:\tmp\wireless.etl + ``` + +See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt. + +## Troubleshooting -3. Run this command to stop the trace: **netsh trace stop** -4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl** - -### Troubleshooting The following is a high-level view of the main wifi components in Windows. - -![Wi-Fi stack components](images/wifistackcomponents.png) -The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows: +
    Operating system ArchitectureOperating string string valueString value
    + + + + + +
    The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service.
    The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows: - Scanning for wireless networks in range -- Managing connectivity of wireless networks +- Managing connectivity of wireless networks
    The Media Specific Module (MSM) handles security aspects of connection being established.
    The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.
    Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
    -The Media Specific Module (MSM) handles security aspects of connection being established. -The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. - -Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. The wifi connection state machine has the following states: - Reset - Ihv_Configuring @@ -99,86 +113,105 @@ Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset -- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](Missing wifi.tat file) filter is an easy first step to determine where a failed connection setup is breaking down: -Use the **FSM transition** trace filter to see the connection state machine. -Example of a good connection setup: +>Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article. -``` +Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page. + +The following is an example of a good connection setup: + +
     44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
-45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
-45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
-```
-Example of a failed connection setup:
-```
+
    + +The following is an example of a failed connection setup: + +
     44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
-45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
-45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
-```
-By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
+
    + +By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. + +Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. In many cases the next component of interest will be the MSM, which lies just below Wlansvc. - -![MSM details](images/msmdetails.png) The important components of the MSM include: - Security Manager (SecMgr) - handles all pre and post-connection security operations. - Authentication Engine (AuthMgr) – Manages 802.1x auth requests + + ![MSM details](images/msmdetails.png) + Each of these components has their own individual state machines which follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. + Continuing with the example above, the combined filters look like this: -``` +
     [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Reset to State: Ihv_Configuring
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Ihv_Configuring to State: Configuring
 [1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Configuring to State: Associating
-[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
-[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
 [4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED  --> START_AUTH  
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
-[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
-```
+
    + > [!NOTE] -> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. +> In the next to last line the SecMgr transition is suddenly deactivating:
    +>\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)

    +>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. -- Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: +Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: -``` +
     [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
 [0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN :  PHY = 3, software state = on , hardware state = off ) 
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
- [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+ [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
-```
-- The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
-Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
+
    + +The trail backwards reveals a **Port Down** notification: + +\[0\] 0EF8.1174:: 08/28/17-13:24:29.705 \[Microsoft-Windows-WLAN-AutoConfig\]Received IHV PORT DOWN, peer 0x186472F64FD2 + +Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication. + +Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. + Enable trace filter for **[Microsoft-Windows-NWifi]:** -``` +
     [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
@@ -186,14 +219,108 @@ Associating to State: Authenticating
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
- [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+ [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
-Authenticating to State: Roaming
+Authenticating to State: Roaming
    + +In the trace above, we see the line: + +
    +[0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
    + +This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP. + +### Resources + +[802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
    +[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
    + +## Example ETW capture + +
    +C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
+
+Trace configuration:
+-------------------------------------------------------------------
+Status:             Running
+Trace File:         C:\tmp\wireless.etl
+Append:             Off
+Circular:           On
+Max Size:           4096 MB
+Report:             Off
+
+C:\tmp>netsh trace stop
+Correlating traces ... done
+Merging traces ... done
+Generating data collection ... done
+The trace file and additional troubleshooting information have been compiled as "c:\tmp\wireless.cab".
+File location = c:\tmp\wireless.etl
+Tracing session was successfully stopped.
+
+C:\tmp>netsh trace convert c:\tmp\wireless.etl
+
+Input file:  c:\tmp\wireless.etl
+Dump file:   c:\tmp\wireless.txt
+Dump format: TXT
+Report file: -
+Generating dump ... done
+
+C:\tmp>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 58A8-7DE5
+
+ Directory of C:\tmp
+
+01/09/2019  02:59 PM    [DIR]          .
+01/09/2019  02:59 PM    [DIR]          ..
+01/09/2019  02:59 PM         4,855,952 wireless.cab
+01/09/2019  02:56 PM         2,752,512 wireless.etl
+01/09/2019  02:59 PM         2,786,540 wireless.txt
+               3 File(s)     10,395,004 bytes
+               2 Dir(s)  46,648,332,288 bytes free
+
    + +## Wifi filter file + +Copy and paste all the lines below and save them into a text file named "wifi.tat." Load the filter file into the TextAnalysisTool by clicking **File > Load Filters**. + +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` -The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device. -### **Resources** -### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10)) -### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29) +## TextAnalysisTool example +In the following example, the **View** settings are configured to **Show Only Filtered Lines**. + +![TAT filter example](images/tat.png) \ No newline at end of file diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index f5b708473d..91800241a0 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,13 +9,30 @@ ms.pagetype: security ms.localizationpriority: medium author: jdeckerMS ms.author: jdecker -ms.date: 09/12/2017 +ms.date: 12/06/2018 --- # Change history for Client management This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile. +## December 2018 + +New or changed topic | Description +--- | --- +[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New +[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New +[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New +[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New +[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New + +## November 2018 + +New or changed topic | Description +--- | --- + [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New + [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) | New + ## RELEASE: Windows 10, version 1709 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index aea4ddbb30..b0f3faa4c1 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -1,551 +1,382 @@ --- -title: Data Collection for Troubleshooting 802.1x Authentication -description: Data needed for reviewing 802.1x Authentication issues -keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data +title: Data collection for troubleshooting 802.1X authentication +description: Data needed for reviewing 802.1X Authentication issues +keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data ms.prod: w10 ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium ms.author: mikeblodge -ms.date: 10/29/2018 --- -# Data Collection for Troubleshooting 802.1x Authentication - - -## Steps to capture Wireless/Wired functionality logs +# Data collection for troubleshooting 802.1X authentication + +Use the following steps to collect data that can be used to troubleshoot 802.1X authentication issues. When you have collected data, see [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md). +## Capture wireless/wired functionality logs + +Use the following steps to collect wireless and wired logs on Windows and Windows Server: + 1. Create C:\MSLOG on the client machine to store captured logs. -2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log: +2. Launch an elevated command prompt on the client machine, and run the following commands to start a RAS trace log and a Wireless/Wired scenario log. -**On Windows 8.1, Windows 10 Wireless Client** - -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl -``` - -**On Windows 7, Winodws 8 Wireless Client** -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl -``` - -**On Wired network client** - -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl -``` + **Wireless Windows 8.1 and Windows 10:** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + ``` + +
    **Wireless Windows 7 and Windows 8:** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + ``` + +
    **Wired client, regardless of version** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl + ``` -3. Run the followind command to enable CAPI2 logging: - -```dos -wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true -``` +3. Run the following command to enable CAPI2 logging and increase the size : + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 + ``` 4. Create C:\MSLOG on the NPS to store captured logs. -5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log: +5. Launch an elevated command prompt on the NPS server and run the following commands to start a RAS trace log and a Wireless/Wired scenario log: -**On Windows Server 2012 R2, Windows Server 2016 Wireless network** - - ```dos - netsh ras set tracing * enabled + **Windows Server 2012 R2, Windows Server 2016 wireless network:** ``` - ```dos - netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl ``` - -**On Windows Server 2008 R2, Winodws Server 2012 Wireless network** - - ```dos - netsh ras set tracing * enabled - ``` - ```dos - netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl - ``` - -**On wired network** - - ```dos - netsh ras set tracing * enabled - ``` - ```dos - netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl - ``` - -6. Run the followind command to enable CAPI2 logging: - - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true - ``` - -7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: - - -> [!NOTE] -> When the mouse button is clicked, the cursor will blink in red while capturing a screen image. - - ```dos - psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100 - ``` - -8. Repro the issue. - -9. Run the following command on the client machine to stop the PSR capturing: - - ```dos - psr /stop - ``` - -10. Run the following commands from the command prompt on the NPS. - -**Stopping RAS trace log and Wireless scenario log** - - ```dos - netsh trace stop - ``` - ```dos - netsh ras set tracing * disabled - ``` - -**Disabling and copying CAPI2 log** - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false +
    **Windows Server 2008 R2, Windows Server 2012 wireless network** ``` - ```dos - wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl ``` - -11. Run the following commands from the prompt on the client machine. - -**Stopping RAS trace log and Wireless scenario log** - ```dos - netsh trace stop +
    **Wired network** ``` - ```dos - netsh ras set tracing * disabled + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl ``` -**Disabling and copying CAPI2 log** +6. Run the following command to enable CAPI2 logging and increase the size : + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 + ``` +7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: + + > [!NOTE] + > When the mouse button is clicked, the cursor will blink in red while capturing a screen image. - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false ``` - ```dos - wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100 + ``` +8. Repro the issue. +9. Run the following command on the client PC to stop the PSR capturing: + + ``` + psr /stop ``` -12. Save the following logs on the client and the NPS. +10. Run the following commands from the command prompt on the NPS server. -**Client** - - C:\MSLOG\%computername%_psr.zip - - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx - - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl - - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab - - All log files and folders in %Systemroot%\Tracing + - To stop RAS trace log and wireless scenario log: + + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` + - To disable and copy CAPI2 log: + + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + ``` -**NPS** - - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx - - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) - - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) - - All log files and folders in %Systemroot%\Tracing +11. Run the following commands on the client PC. + - To stop RAS trace log and wireless scenario log: + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` + - To disable and copy the CAPI2 log: + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + ``` -### Steps to save environmental / configuration information +12. Save the following logs on the client and the NPS: -**Client** + **Client** + - C:\MSLOG\%computername%_psr.zip + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab + - All log files and folders in %Systemroot%\Tracing + + **NPS** + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) + - All log files and folders in %Systemroot%\Tracing + +## Save environment and configuration information + +### On Windows client + 1. Create C:\MSLOG to store captured logs. 2. Launch a command prompt as an administrator. 3. Run the following commands. - - Environmental information and Group Policies application status - ```dos - gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm - - msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - - ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - - route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt - ``` - -**Event logs** + - Environment information and Group Policy application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm + msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx + wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx + wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-Wired-AutoConfig-Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx + ``` + - For Windows 8 and later, also run these commands for event logs: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx + ``` + - Certificates Store information: + + ``` + certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt + certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt + certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt + certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt + certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt + certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt + certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt + certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt + certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt + certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt + certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt + certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt + certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt + certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt + certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt + certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt + certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt + certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt + certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt + certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt + certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt + certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt + certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt + ``` + - Wireless LAN client information: + + ``` + netsh wlan show all > c:\MSLOG\%COMPUTERNAME%_wlan_show_all.txt + netsh wlan export profile folder=c:\MSLOG\ + ``` + - Wired LAN Client information + + ``` + netsh lan show interfaces > c:\MSLOG\%computername%_lan_interfaces.txt + netsh lan show profiles > c:\MSLOG\%computername%_lan_profiles.txt + netsh lan show settings > c:\MSLOG\%computername%_lan_settings.txt + netsh lan export profile folder=c:\MSLOG\ + ``` +4. Save the logs stored in C:\MSLOG. -**Run the following command on Windows 8 and above ** -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx - -wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` +### On NPS -**Certificates Store information** - -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**Wireless LAN Client information** -```dos -netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt - -netsh wlan export profile folder=c:\MSLOG\ -``` - -**Wired LAN Client information** -```dos -netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt - -netsh lan export profile folder=c:\MSLOG\ -``` +1. Create C:\MSLOG to store captured logs. +2. Launch a command prompt as an administrator. +3. Run the following commands. + - Environmental information and Group Policies application status: + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt + msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt + ``` + - Event logs: + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx + ``` + - Run the following 3 commands on Windows Server 2012 and later: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx + ``` + - Certificates store information + + ``` + certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt + certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt + certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt + certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt + certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt + certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt + certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt + certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt + certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt + certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt + certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt + certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt + certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt + certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt + certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt + certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt + certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt + certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt + certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt + certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt + certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt + certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt + certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt + ``` + - NPS configuration information: + + ``` + netsh nps show config > C:\MSLOG\%COMPUTERNAME%_nps_show_config.txt + netsh nps export filename=C:\MSLOG\%COMPUTERNAME%_nps_export.xml exportPSK=YES + ``` +3. Take the following steps to save an NPS accounting log. + 1. Open **Administrative tools > Network Policy Server**. + 2. On the Network Policy Server administration tool, select **Accounting** in the left pane. + 3. Click **Change Log File Properties**. + 4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box. + 5. Copy the log file to C:\MSLOG. 4. Save the logs stored in C:\MSLOG. - - -**NPS** - 1. Create C:\MSLOG to store captured logs. - 2. Launch a command prompt as an administrator. - 3. Run the following commands: - **Environmental information and Group Policies application status** +## Certification Authority (CA) (OPTIONAL) - ```dos - gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt - - msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - - ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - - route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt +1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs. +2. Run the following commands. + - Environmental information and Group Policies application status + ``` - -**Event logs** -**Run the following 3 commands on Windows Server 2012 and above:** -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` - -**Certificates store information** -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**NPS configuration information** -```dos -netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt - -netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES -``` - -3. Take the following steps to save an NPS accounting log: -4. Launch **Administrative tools** - **Network Policy Server**. - - On the Network Policy Server administration tool, select **Accounting** in the left pane. - - Click **Change Log File Properties** in the right pane. - - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box. - - Copy the log file to C:\MSLOG. - - Save the logs stored in C:\MSLOG. - - -**Certificate Authority (CA)** *Optional* - -1. On a CA, launch a command prompt as an administrator. -2. Create C:\MSLOG to store captured logs. -3. Run the following commands: - -Environmental information and Group Policies application status - -```dos -gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt - -msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - -ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - -route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt -``` - -**Event logs** - -**Run the following 3 lines on Windows 2012 and up:** - -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` - -**Certificates store information** - -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**CA configuration information** -```dos -reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv - -reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt - -reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv - -reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx -``` - -4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf -5. Log on to a domain controller and create C:\MSLOG to store captured logs. -6. Launch Windows PowerShell as an administrator. -7. Run the following PowerShell commandlets - - \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. -```powershell -Import-Module ActiveDirectory - -Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt -``` -8. Save the following logs: -- All files in C:\MSLOG on the CA -- All files in C:\MSLOG on the domain controller + gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt + msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx + ``` + - Run the following 3 lines on Windows 2012 and up + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx + ``` + - Certificates store information + + ``` + certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt + certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt + certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt + certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt + certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt + certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt + certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt + certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt + certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt + certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt + certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt + certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt + certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt + certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt + certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt + certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt + certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt + certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt + certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt + certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt + certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt + certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt + certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt + ``` + - CA configuration information + + ``` + reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.hiv + reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.txt + reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.hiv + reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt + ``` +3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf +4. Log on to a domain controller and create C:\MSLOG to store captured logs. +5. Launch Windows PowerShell as an administrator. +6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. + + ```powershell + Import-Module ActiveDirectory + Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter * -Properties * | fl * > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt + ``` +7. Save the following logs. + - All files in C:\MSLOG on the CA + - All files in C:\MSLOG on the domain controller diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 4fc5382798..eab3b9f62e 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -35,8 +35,6 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "dongill", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/client-management/images/boot-sequence-thumb.png b/windows/client-management/images/boot-sequence-thumb.png new file mode 100644 index 0000000000..164f9f9848 Binary files /dev/null and b/windows/client-management/images/boot-sequence-thumb.png differ diff --git a/windows/client-management/images/boot-sequence.png b/windows/client-management/images/boot-sequence.png new file mode 100644 index 0000000000..31e6dc34c9 Binary files /dev/null and b/windows/client-management/images/boot-sequence.png differ diff --git a/windows/client-management/images/bugcheck-analysis.png b/windows/client-management/images/bugcheck-analysis.png new file mode 100644 index 0000000000..e4b4f033f8 Binary files /dev/null and b/windows/client-management/images/bugcheck-analysis.png differ diff --git a/windows/client-management/images/capi.png b/windows/client-management/images/capi.png new file mode 100644 index 0000000000..76bbcd0650 Binary files /dev/null and b/windows/client-management/images/capi.png differ diff --git a/windows/client-management/images/check-disk.png b/windows/client-management/images/check-disk.png new file mode 100644 index 0000000000..2c5859470e Binary files /dev/null and b/windows/client-management/images/check-disk.png differ diff --git a/windows/client-management/images/controlset.png b/windows/client-management/images/controlset.png new file mode 100644 index 0000000000..fe9d3c8820 Binary files /dev/null and b/windows/client-management/images/controlset.png differ diff --git a/windows/client-management/images/etl.png b/windows/client-management/images/etl.png new file mode 100644 index 0000000000..14a62c6450 Binary files /dev/null and b/windows/client-management/images/etl.png differ diff --git a/windows/client-management/images/eventviewer.png b/windows/client-management/images/eventviewer.png index 76bbcd0650..e0aa5d1721 100644 Binary files a/windows/client-management/images/eventviewer.png and b/windows/client-management/images/eventviewer.png differ diff --git a/windows/client-management/images/loadhive.png b/windows/client-management/images/loadhive.png new file mode 100644 index 0000000000..62c6643140 Binary files /dev/null and b/windows/client-management/images/loadhive.png differ diff --git a/windows/client-management/images/miniport.png b/windows/client-management/images/miniport.png new file mode 100644 index 0000000000..ba1b2fed2d Binary files /dev/null and b/windows/client-management/images/miniport.png differ diff --git a/windows/client-management/images/msm.png b/windows/client-management/images/msm.png new file mode 100644 index 0000000000..397df3e350 Binary files /dev/null and b/windows/client-management/images/msm.png differ diff --git a/windows/client-management/images/msmdetails.png b/windows/client-management/images/msmdetails.png index ad146b102e..cbcf20e114 100644 Binary files a/windows/client-management/images/msmdetails.png and b/windows/client-management/images/msmdetails.png differ diff --git a/windows/client-management/images/nm-adapters.png b/windows/client-management/images/nm-adapters.png new file mode 100644 index 0000000000..f4e25fdbc8 Binary files /dev/null and b/windows/client-management/images/nm-adapters.png differ diff --git a/windows/client-management/images/nm-start.png b/windows/client-management/images/nm-start.png new file mode 100644 index 0000000000..ec92f013a2 Binary files /dev/null and b/windows/client-management/images/nm-start.png differ diff --git a/windows/client-management/images/pendingupdate.png b/windows/client-management/images/pendingupdate.png new file mode 100644 index 0000000000..19d8c9dec4 Binary files /dev/null and b/windows/client-management/images/pendingupdate.png differ diff --git a/windows/client-management/images/revertpending.png b/windows/client-management/images/revertpending.png new file mode 100644 index 0000000000..7b60c6446d Binary files /dev/null and b/windows/client-management/images/revertpending.png differ diff --git a/windows/client-management/images/rpc-error.png b/windows/client-management/images/rpc-error.png new file mode 100644 index 0000000000..0e0828522b Binary files /dev/null and b/windows/client-management/images/rpc-error.png differ diff --git a/windows/client-management/images/rpc-flow.png b/windows/client-management/images/rpc-flow.png new file mode 100644 index 0000000000..a3d9c13030 Binary files /dev/null and b/windows/client-management/images/rpc-flow.png differ diff --git a/windows/client-management/images/screenshot1.png b/windows/client-management/images/screenshot1.png new file mode 100644 index 0000000000..5138b41016 Binary files /dev/null and b/windows/client-management/images/screenshot1.png differ diff --git a/windows/client-management/images/sfc-scannow.png b/windows/client-management/images/sfc-scannow.png new file mode 100644 index 0000000000..1c079288a8 Binary files /dev/null and b/windows/client-management/images/sfc-scannow.png differ diff --git a/windows/client-management/images/tat.png b/windows/client-management/images/tat.png new file mode 100644 index 0000000000..90eb328c38 Binary files /dev/null and b/windows/client-management/images/tat.png differ diff --git a/windows/client-management/images/tcp-ts-1.png b/windows/client-management/images/tcp-ts-1.png new file mode 100644 index 0000000000..621235d5b3 Binary files /dev/null and b/windows/client-management/images/tcp-ts-1.png differ diff --git a/windows/client-management/images/tcp-ts-10.png b/windows/client-management/images/tcp-ts-10.png new file mode 100644 index 0000000000..7bf332b57a Binary files /dev/null and b/windows/client-management/images/tcp-ts-10.png differ diff --git a/windows/client-management/images/tcp-ts-11.png b/windows/client-management/images/tcp-ts-11.png new file mode 100644 index 0000000000..75b0361f89 Binary files /dev/null and b/windows/client-management/images/tcp-ts-11.png differ diff --git a/windows/client-management/images/tcp-ts-12.png b/windows/client-management/images/tcp-ts-12.png new file mode 100644 index 0000000000..592ccf0e76 Binary files /dev/null and b/windows/client-management/images/tcp-ts-12.png differ diff --git a/windows/client-management/images/tcp-ts-13.png b/windows/client-management/images/tcp-ts-13.png new file mode 100644 index 0000000000..da6157c72a Binary files /dev/null and b/windows/client-management/images/tcp-ts-13.png differ diff --git a/windows/client-management/images/tcp-ts-14.png b/windows/client-management/images/tcp-ts-14.png new file mode 100644 index 0000000000..f3a3cc4a35 Binary files /dev/null and b/windows/client-management/images/tcp-ts-14.png differ diff --git a/windows/client-management/images/tcp-ts-15.png b/windows/client-management/images/tcp-ts-15.png new file mode 100644 index 0000000000..e3e161317f Binary files /dev/null and b/windows/client-management/images/tcp-ts-15.png differ diff --git a/windows/client-management/images/tcp-ts-16.png b/windows/client-management/images/tcp-ts-16.png new file mode 100644 index 0000000000..52a5e24e2b Binary files /dev/null and b/windows/client-management/images/tcp-ts-16.png differ diff --git a/windows/client-management/images/tcp-ts-17.png b/windows/client-management/images/tcp-ts-17.png new file mode 100644 index 0000000000..e690bbdf1c Binary files /dev/null and b/windows/client-management/images/tcp-ts-17.png differ diff --git a/windows/client-management/images/tcp-ts-18.png b/windows/client-management/images/tcp-ts-18.png new file mode 100644 index 0000000000..95cf36dbe7 Binary files /dev/null and b/windows/client-management/images/tcp-ts-18.png differ diff --git a/windows/client-management/images/tcp-ts-19.png b/windows/client-management/images/tcp-ts-19.png new file mode 100644 index 0000000000..4f2d239e57 Binary files /dev/null and b/windows/client-management/images/tcp-ts-19.png differ diff --git a/windows/client-management/images/tcp-ts-2.png b/windows/client-management/images/tcp-ts-2.png new file mode 100644 index 0000000000..cdaada6cb6 Binary files /dev/null and b/windows/client-management/images/tcp-ts-2.png differ diff --git a/windows/client-management/images/tcp-ts-20.png b/windows/client-management/images/tcp-ts-20.png new file mode 100644 index 0000000000..9b3c573f7e Binary files /dev/null and b/windows/client-management/images/tcp-ts-20.png differ diff --git a/windows/client-management/images/tcp-ts-21.png b/windows/client-management/images/tcp-ts-21.png new file mode 100644 index 0000000000..1e29a2061e Binary files /dev/null and b/windows/client-management/images/tcp-ts-21.png differ diff --git a/windows/client-management/images/tcp-ts-22.png b/windows/client-management/images/tcp-ts-22.png new file mode 100644 index 0000000000..c49dcd72ee Binary files /dev/null and b/windows/client-management/images/tcp-ts-22.png differ diff --git a/windows/client-management/images/tcp-ts-23.png b/windows/client-management/images/tcp-ts-23.png new file mode 100644 index 0000000000..16ef4604c1 Binary files /dev/null and b/windows/client-management/images/tcp-ts-23.png differ diff --git a/windows/client-management/images/tcp-ts-24.png b/windows/client-management/images/tcp-ts-24.png new file mode 100644 index 0000000000..14ae950076 Binary files /dev/null and b/windows/client-management/images/tcp-ts-24.png differ diff --git a/windows/client-management/images/tcp-ts-25.png b/windows/client-management/images/tcp-ts-25.png new file mode 100644 index 0000000000..21e8b97a08 Binary files /dev/null and b/windows/client-management/images/tcp-ts-25.png differ diff --git a/windows/client-management/images/tcp-ts-3.png b/windows/client-management/images/tcp-ts-3.png new file mode 100644 index 0000000000..ce3072c95e Binary files /dev/null and b/windows/client-management/images/tcp-ts-3.png differ diff --git a/windows/client-management/images/tcp-ts-4.png b/windows/client-management/images/tcp-ts-4.png new file mode 100644 index 0000000000..73bc5f90be Binary files /dev/null and b/windows/client-management/images/tcp-ts-4.png differ diff --git a/windows/client-management/images/tcp-ts-5.png b/windows/client-management/images/tcp-ts-5.png new file mode 100644 index 0000000000..ee64c96da0 Binary files /dev/null and b/windows/client-management/images/tcp-ts-5.png differ diff --git a/windows/client-management/images/tcp-ts-6.png b/windows/client-management/images/tcp-ts-6.png new file mode 100644 index 0000000000..8db75fdb08 Binary files /dev/null and b/windows/client-management/images/tcp-ts-6.png differ diff --git a/windows/client-management/images/tcp-ts-7.png b/windows/client-management/images/tcp-ts-7.png new file mode 100644 index 0000000000..4b61bf7e36 Binary files /dev/null and b/windows/client-management/images/tcp-ts-7.png differ diff --git a/windows/client-management/images/tcp-ts-8.png b/windows/client-management/images/tcp-ts-8.png new file mode 100644 index 0000000000..f0ef8300ba Binary files /dev/null and b/windows/client-management/images/tcp-ts-8.png differ diff --git a/windows/client-management/images/tcp-ts-9.png b/windows/client-management/images/tcp-ts-9.png new file mode 100644 index 0000000000..dba375fd65 Binary files /dev/null and b/windows/client-management/images/tcp-ts-9.png differ diff --git a/windows/client-management/images/unloadhive.png b/windows/client-management/images/unloadhive.png new file mode 100644 index 0000000000..e8eb2f859e Binary files /dev/null and b/windows/client-management/images/unloadhive.png differ diff --git a/windows/client-management/images/unloadhive1.png b/windows/client-management/images/unloadhive1.png new file mode 100644 index 0000000000..3b269f294c Binary files /dev/null and b/windows/client-management/images/unloadhive1.png differ diff --git a/windows/client-management/images/wcm.png b/windows/client-management/images/wcm.png new file mode 100644 index 0000000000..6c26a3aeb7 Binary files /dev/null and b/windows/client-management/images/wcm.png differ diff --git a/windows/client-management/images/wifi-stack.png b/windows/client-management/images/wifi-stack.png new file mode 100644 index 0000000000..cf94f491c4 Binary files /dev/null and b/windows/client-management/images/wifi-stack.png differ diff --git a/windows/client-management/images/windbg.png b/windows/client-management/images/windbg.png new file mode 100644 index 0000000000..2f489e81a7 Binary files /dev/null and b/windows/client-management/images/windbg.png differ diff --git a/windows/client-management/images/wlan.png b/windows/client-management/images/wlan.png new file mode 100644 index 0000000000..fea20f7272 Binary files /dev/null and b/windows/client-management/images/wlan.png differ diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md new file mode 100644 index 0000000000..ca385d841a --- /dev/null +++ b/windows/client-management/img-boot-sequence.md @@ -0,0 +1,11 @@ +--- +description: A full-sized view of the boot sequence flowchart. +title: Boot sequence flowchart +ms.date: 11/16/2018 +--- + +Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
    + + +![Full-sized boot sequence flowchart](images/boot-sequence.png) + diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index aa9b63bd2b..7b80381b7c 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -38,7 +38,7 @@ Policy paths: The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] -> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string. +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. Here are some examples: diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 5d145ddd7f..07e2cb8f96 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -6,7 +6,7 @@ ### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md) ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md) ## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md) ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index b1d8ac001f..8cc949f6b9 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -400,7 +400,7 @@ Location: Example: HTTP/1.1 302 -Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E +Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E ``` The following table shows the error codes. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 9231a68bbf..2e0b0840bd 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,9 +6,8 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/31/2018 +ms.date: 12/06/2018 --- - # BitLocker CSP > [!WARNING] @@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree **AllowWarningForOtherDiskEncryption** -

    Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

    +

    Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.

    > [!Important] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) for value 0. +> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] -> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows. +> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. @@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +>[!NOTE] +>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. +> +>The endpoint for a fixed data drive's backup is chosen in the following order: + >1. The user's Windows Server Active Directory Domain Services account. + >2. The user's Azure Active Directory account. + >3. The user's personal OneDrive (MDM/MAM only). +> +>Encryption will wait until one of these three locations backs up successfully. + **AllowStandardUserEncryption** Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. @@ -854,7 +863,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. -The expected values for this policy are: +The expected values for this policy are: - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4e860c0b4b..8aa018c18c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -79,7 +79,7 @@ Using the ICD, create a provisioning package using the enrollment information re 12. Enter the values for your package and specify the package output location. ![enter package information](images/bulk-enrollment3.png) - ![enter additonal information for package information](images/bulk-enrollment4.png) + ![enter additional information for package information](images/bulk-enrollment4.png) ![specify file location](images/bulk-enrollment6.png) 13. Click **Build**. diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 4fb7edff7c..97ae506323 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -25,7 +25,7 @@ The content below are the latest versions of the DDF files: ## DiagnosticLog CSP version 1.2 -``` syntax +```xml 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. @@ -634,7 +634,7 @@ The content below are the latest versions of the DDF files: ## DiagnosticLog CSP version 1.3 -``` syntax +```xml 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 65b730f7d4..24e4a9039a 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -11,13 +11,13 @@ ms.date: 10/04/2017 # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. Requirements: -- AD-joined PC running Windows 10, version 1709 -- Enterprise has MDM service already configured -- Enterprise AD must be registered with Azure AD -- Device should not already be enrolled in Intune using the classic agents (devices manged using agents will fail enrollment with error 0x80180026) +- AD-joined PC running Windows 10, version 1709 or later +- The enterprise has configured a mobile device management (MDM) service +- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) > [!Tip] > [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index cf28233abe..a4f77849fe 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -80,10 +80,10 @@ Query parameters: - Bundle - returns installed bundle packages. - Framework - returns installed framework packages. - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle. - - XAP - returns XAP package types. + - XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. - All - returns all package types. - If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned. + If no value is specified, the combination of Main, Bundle, and Framework are returned. - PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. diff --git a/windows/client-management/mdm/images/block-untrusted-processes.png b/windows/client-management/mdm/images/block-untrusted-processes.png new file mode 100644 index 0000000000..c9d774457e Binary files /dev/null and b/windows/client-management/mdm/images/block-untrusted-processes.png differ diff --git a/windows/client-management/mdm/images/class-guids.png b/windows/client-management/mdm/images/class-guids.png new file mode 100644 index 0000000000..6951e4ed5a Binary files /dev/null and b/windows/client-management/mdm/images/class-guids.png differ diff --git a/windows/client-management/mdm/images/custom-profile-prevent-device-ids.png b/windows/client-management/mdm/images/custom-profile-prevent-device-ids.png new file mode 100644 index 0000000000..d949232d44 Binary files /dev/null and b/windows/client-management/mdm/images/custom-profile-prevent-device-ids.png differ diff --git a/windows/client-management/mdm/images/device-manager-disk-drives.png b/windows/client-management/mdm/images/device-manager-disk-drives.png new file mode 100644 index 0000000000..44be977537 Binary files /dev/null and b/windows/client-management/mdm/images/device-manager-disk-drives.png differ diff --git a/windows/client-management/mdm/images/disk-drive-hardware-id.png b/windows/client-management/mdm/images/disk-drive-hardware-id.png new file mode 100644 index 0000000000..cf8399acf4 Binary files /dev/null and b/windows/client-management/mdm/images/disk-drive-hardware-id.png differ diff --git a/windows/client-management/mdm/images/hardware-ids.png b/windows/client-management/mdm/images/hardware-ids.png new file mode 100644 index 0000000000..9017f289f6 Binary files /dev/null and b/windows/client-management/mdm/images/hardware-ids.png differ diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 72b31a82e2..2fbd4d1bce 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: jdeckerms -ms.date: 09/12/2018 +ms.date: 01/25/2019 --- # Mobile device management @@ -23,12 +23,15 @@ There are two parts to the Windows 10 management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). ## MDM security baseline With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices. +>[!NOTE] +>Intune support for the MDM security baseline is coming soon. + The MDM security baseline includes policies that cover the following areas: - Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall @@ -38,8 +41,8 @@ The MDM security baseline includes policies that cover the following areas: - Legacy technology policies that offer alternative solutions with modern technology - And much more -For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/). - +For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip). +For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/intune/security-baseline-settings-windows) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7a2feeca63..52c8272547 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 09/20/2018 +ms.date: 12/06/2018 --- # What's new in MDM enrollment and management @@ -22,32 +22,50 @@ For details about Microsoft mobile device management protocols for Windows 10 s ## In this section -- [What's new in Windows 10, version 1511](#whatsnew) -- [What's new in Windows 10, version 1607](#whatsnew1607) -- [What's new in Windows 10, version 1703](#whatsnew10) -- [What's new in Windows 10, version 1709](#whatsnew1709) -- [What's new in Windows 10, version 1803](#whatsnew1803) -- [What's new in Windows 10, version 1809](#whatsnew1809) -- [Change history in MDM documentation](#change-history-in-mdm-documentation) -- [Breaking changes and known issues](#breaking-changes-and-known-issues) - - [Get command inside an atomic command is not supported](#getcommand) - - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification) - - [Apps installed using WMI classes are not removed](#appsnotremoved) - - [Passing CDATA in SyncML does not work](#cdata) - - [SSL settings in IIS server for SCEP must be set to "Ignore"](#sslsettings) - - [MDM enrollment fails on the mobile device when traffic is going through proxy](#enrollmentviaproxy) - - [Server-initiated unenroll failure](#unenrollment) - - [Certificates causing issues with Wi-Fi and VPN](#certissues) - - [Version information for mobile devices](#versioninformation) - - [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#whitelist) - - [Apps dependent on Microsoft Frameworks may get blocked](#frameworks) - - [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#wificertissue) - - [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote) - - [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#renewwns) - - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning) - - [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos) - - [Device management agent for the push-button reset is not working](#pushbuttonreset) -- [FAQ](#faq) +- [What's new in MDM enrollment and management](#whats-new-in-mdm-enrollment-and-management) + - [In this section](#in-this-section) + - [What's new in Windows 10, version 1511](#a-href%22%22-id%22whatsnew%22awhats-new-in-windows-10-version-1511) + - [What's new in Windows 10, version 1607](#a-href%22%22-id%22whatsnew1607%22awhats-new-in-windows-10-version-1607) + - [What's new in Windows 10, version 1703](#a-href%22%22-id%22whatsnew10%22awhats-new-in-windows-10-version-1703) + - [What's new in Windows 10, version 1709](#a-href%22%22-id%22whatsnew1709%22awhats-new-in-windows-10-version-1709) + - [What's new in Windows 10, version 1803](#a-href%22%22-id%22whatsnew1803%22awhats-new-in-windows-10-version-1803) + - [What's new in Windows 10, version 1809](#a-href%22%22-id%22whatsnew1809%22awhats-new-in-windows-10-version-1809) + - [Breaking changes and known issues](#breaking-changes-and-known-issues) + - [Get command inside an atomic command is not supported](#a-href%22%22-id%22getcommand%22aget-command-inside-an-atomic-command-is-not-supported) + - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#a-href%22%22-id%22notification%22anotification-channel-uri-not-preserved-during-upgrade-from-windows-81-to-windows-10) + - [Apps installed using WMI classes are not removed](#a-href%22%22-id%22appsnotremoved%22aapps-installed-using-wmi-classes-are-not-removed) + - [Passing CDATA in SyncML does not work](#a-href%22%22-id%22cdata%22apassing-cdata-in-syncml-does-not-work) + - [SSL settings in IIS server for SCEP must be set to "Ignore"](#a-href%22%22-id%22sslsettings%22assl-settings-in-iis-server-for-scep-must-be-set-to-%22ignore%22) + - [MDM enrollment fails on the mobile device when traffic is going through proxy](#a-href%22%22-id%22enrollmentviaproxy%22amdm-enrollment-fails-on-the-mobile-device-when-traffic-is-going-through-proxy) + - [Server-initiated unenrollment failure](#a-href%22%22-id%22unenrollment%22aserver-initiated-unenrollment-failure) + - [Certificates causing issues with Wi-Fi and VPN](#a-href%22%22-id%22certissues%22acertificates-causing-issues-with-wi-fi-and-vpn) + - [Version information for mobile devices](#a-href%22%22-id%22versioninformation%22aversion-information-for-mobile-devices) + - [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#a-href%22%22-id%22whitelist%22aupgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues) + - [Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#a-href%22%22-id%22frameworks%22aapps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218) + - [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#a-href%22%22-id%22wificertissue%22amultiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile) + - [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#a-href%22%22-id%22remote%22aremote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices) + - [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#a-href%22%22-id%22renewwns%22amdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri) + - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#a-href%22%22-id%22userprovisioning%22auser-provisioning-failure-in-azure-active-directory-joined-windows-10-pc) + - [Requirements to note for VPN certificates also used for Kerberos Authentication](#a-href%22%22-id%22kerberos%22arequirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication) + - [Device management agent for the push-button reset is not working](#a-href%22%22-id%22pushbuttonreset%22adevice-management-agent-for-the-push-button-reset-is-not-working) + - [Change history in MDM documentation](#change-history-in-mdm-documentation) + - [January 2019](#january-2019) + - [December 2018](#december-2018) + - [September 2018](#september-2018) + - [August 2018](#august-2018) + - [July 2018](#july-2018) + - [June 2018](#june-2018) + - [May 2018](#may-2018) + - [April 2018](#april-2018) + - [March 2018](#march-2018) + - [February 2018](#february-2018) + - [January 2018](#january-2018) + - [December 2017](#december-2017) + - [November 2017](#november-2017) + - [October 2017](#october-2017) + - [September 2017](#september-2017) + - [August 2017](#august-2017) + - [FAQ](#faq) ## What's new in Windows 10, version 1511 @@ -1255,7 +1273,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • WindowsDefenderSecurityCenter/HideSecureBoot
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • -

    Security/RequireDeviceEncrption - updated to show it is supported in desktop.

    +

    Security/RequireDeviceEncryption - updated to show it is supported in desktop.

     @@ -1760,6 +1778,20 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### January 2019 + +|New or updated topic | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| +|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| +|[Mobile device management](index.md)|Updated information about MDM Security Baseline.| + +### December 2018 + +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| + ### September 2018 |New or updated topic | Description| @@ -2335,7 +2367,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Settings/AllowOnlineTips
  • System/DisableEnterpriseAuthProxy
    • -

    Security/RequireDeviceEncrption - updated to show it is supported in desktop.

    +

    Security/RequireDeviceEncryption - updated to show it is supported in desktop.

    diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4649e684c3..6431b3c083 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -1,6 +1,6 @@ --- -title: On-premise authentication device enrollment -description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. +title: On-premises authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 ms.author: maricia ms.topic: article @@ -10,16 +10,17 @@ author: MariciaAlforque ms.date: 06/26/2017 --- -# On-premise authentication device enrollment +# On-premises authentication device enrollment - -This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this topic -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) +- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) + - [In this topic](#in-this-topic) + - [Discovery service](#discovery-service) + - [Enrollment policy web service](#enrollment-policy-web-service) + - [Enrollment web service](#enrollment-web-service) For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). @@ -27,9 +28,9 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). -> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +>[!NOTE] +>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. -  The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc The first request is a standard HTTP GET request. @@ -126,9 +127,9 @@ The discovery response is in the XML format and includes the following fields: - Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. - Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following example shows a response received from the discovery web service for OnPremise authentication: ``` syntax @@ -211,9 +212,9 @@ After the user is authenticated, the web service retrieves the certificate templ MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following snippet shows the policy web service response. ``` syntax @@ -303,9 +304,9 @@ The RequestSecurityToken will use a custom TokenType (http://schema The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. +>[!NOTE] +>The policy service and the enrollment service must be on the same server; that is, they must have the same host name. -  The following example shows the enrollment web service request for OnPremise authentication. ``` syntax @@ -514,12 +515,4 @@ The following example shows the encoded provisioning XML. -``` - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 6f65055513..79bf2a8409 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic The XML below is for Windows 10, version 1809. -``` syntax +```xml False - Enables/Disables Dyanamic Lock + Enables/Disables Dynamic Lock @@ -1304,4 +1304,4 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 7b0ad06974..dc3c75da62 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -181,6 +181,9 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. +> [!NOTE] +> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1c06c38801..c936dbc5db 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1046,7 +1046,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 7578533727..5d622c650d 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -497,6 +497,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index c9fdf5ff82..dfad46a493 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -498,7 +498,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index f73ed9e092..82eb7ed2c3 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/30/2018 +ms.date: 11/15/2018 --- # Policy CSP - Bluetooth @@ -352,15 +352,21 @@ Footnote: ## ServicesAllowedList usage guide -When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG). +When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG). -To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. +- Disabling a service shall block incoming and outgoing connections for such services +- Disabling a service shall not publish an SDP record containing the service being blocked +- Disabling a service shall not allow SDP to expose a record for a blocked service +- Disabling a service shall log when a service is blocked for auditing purposes +- Disabling a service shall take effect upon reload of the stack or system reboot + +To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID. Here are some examples: -**Bluetooth Headsets for Voice (HFP)** +**Example of how to enable Hands Free Profile (HFP)** BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB @@ -370,8 +376,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB Footnote: * Used as both Service Class Identifier and Profile Identifier. -Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB +Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB +**Allow Audio Headsets (Voice)** + +|Profile|Reasoning|UUID| +|-|-|-| +|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E| +|Generic Audio Service|Generic audio service|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|PnP Information|Used to identify devices occasionally|0x1200| + +This means that if you only want Bluetooth headsets, the UUIDs to include are: + +{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} + + **Allow Audio Headsets and Speakers (Voice & Music)** |Profile |Reasoning |UUID | |---------|---------|---------| |HFP (Hands Free Profile) |For voice enabled headsets |0x111E | -|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110A | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|Device ID (DID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | +|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B| +|Generic Audio Service|Generic service used by Bluetooth|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|AV Remote Control Target Service|For controlling audio remotely|0x110C| +|AV Remote Control Service|For controlling audio remotely|0x110E| +|AV Remote Control Controller Service|For controlling audio remotely|0x110F| +|PnP Information|Used to identify devices occasionally|0x1200| -{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; **Classic Keyboards and Mice** |Profile |Reasoning |UUID | |---------|---------|---------| |HID (Human Interface Device) |For classic BR/EDR keyboards and mice |0x1124 | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|DID (Device ID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | +|PnP Information|Used to identify devices occasionally|0x1200| -{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; -> [!Note] -> For both Classic and LE use a super set of the two formula’s UUIDs **LE Keyboards and Mice** |Profile |Reasoning |UUID | |---------|---------|---------| -|Generic Access Atribute |For the LE Protocol |0x1801 | +|Generic Access Attribute |For the LE Protocol |0x1801 | |HID Over GATT * |For LE keyboards and mice |0x1812 | |GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | |DID (Device ID) |Generic service used by Bluetooth |0x180A | @@ -433,10 +453,12 @@ Footnote: * The Surface pen uses the HID over GATT profile |---------|---------|---------| |OBEX Object Push (OPP) |For file transfer |0x1105 | |Object Exchange (OBEX) |Protocol for file transfer |0x0008 | -|Generic Access Profile (GAP) |Generic service used by Bluetooth |0x1800 | -|Device ID (DID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | - -{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +|PnP Information|Used to identify devices occasionally|0x1200| +{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} +Disabling file transfer shall have the following effects +- Fsquirt shall not allow sending of files +- Fsquirt shall not allow receiving of files +- Fsquirt shall display error message informing user of policy preventing file transfer +- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 5369a3d16d..f6626284ef 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -68,7 +68,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh > MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. -Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, version 1809, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported. +Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index a03fac3671..aabd7f1845 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 01/26/2019 --- # Policy CSP - DataProtection @@ -66,7 +66,7 @@ ms.date: 05/14/2018 -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. +This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 996f6c944d..0605b3bb03 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/08/2018 +ms.date: 01/26/2019 --- # Policy CSP - Defender @@ -1156,6 +1156,7 @@ Valid values: 0–100
    + This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. @@ -1170,6 +1171,8 @@ Supported values: - 0 (default) - Disabled - 1 - Enabled +OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan + ADMX Info: @@ -1366,7 +1369,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1421,7 +1424,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. @@ -1547,6 +1550,8 @@ Supported values: - 0 - Disabled - 1 - Enabled (default) +OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan + ADMX Info: @@ -1606,9 +1611,9 @@ ADMX Info: -This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. @@ -1617,6 +1622,8 @@ Supported values: - 0 - Disabled - 1 - Enabled (default) +OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan + ADMX Info: @@ -1679,7 +1686,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. -Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. +Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. @@ -2457,12 +2464,14 @@ Possible values are: - MMPC - FileShares -For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } +For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. If you disable or do not configure this setting, definition update sources will be contacted in a default order. +OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder + ADMX Info: @@ -2522,12 +2531,18 @@ ADMX Info: -This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. +This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. + +For example: \\unc1\Signatures | \\unc2\Signatures + +The list is empty by default. If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. +OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources + ADMX Info: @@ -2598,6 +2613,8 @@ A value of 0 means no check for new signatures, a value of 1 means to check ever The default value is 8. +OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval + ADMX Info: @@ -2760,7 +2777,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 7c7ed13b63..95e6d74539 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1566,7 +1566,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index fe2a79ede1..248f11d3fd 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -289,7 +289,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 5dabbc96ab..7380b5d410 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,14 +6,10 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 --- # Policy CSP - DeviceInstallation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
    @@ -80,19 +76,26 @@ ms.date: 07/23/2018 -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. + +> [!TIP] +> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,6 +116,37 @@ ADMX Info: +To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
    @@ -151,19 +185,28 @@ ADMX Info: -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. + +> [!TIP] +> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID. + If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -184,6 +227,44 @@ ADMX Info: +To enable this policy, use the following SyncML. This example allows Windows to install: + +- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} +- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318} +- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318} + +Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
    @@ -228,6 +309,8 @@ If you enable this policy setting, Windows does not retrieve device metadata for If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. + + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -255,6 +338,8 @@ ADMX Info: + +
    @@ -299,6 +384,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -326,6 +412,43 @@ ADMX Info: +To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` + +Windows Defender ATP also blocks installation and usage of prohibited peripherals by using a custom profile in Intune. + +For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed. + +![Custom profile](images/custom-profile-prevent-device-ids.png) +
    @@ -370,6 +493,8 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -388,7 +513,38 @@ ADMX Info: +
    +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` **DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** @@ -432,6 +588,8 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -451,13 +609,51 @@ ADMX Info:
    +To enable this policy, use the following SyncML. This example prevents Windows from installing: + +- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} +- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318} +- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318} + +Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` + Footnote: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2960d7874f..9c1747dae9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/29/2018 +ms.date: 12/17/2018 --- # Policy CSP - DmaGuard @@ -65,7 +65,11 @@ ms.date: 06/29/2018 -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. + +Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + +This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. > [!Note] > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. @@ -105,7 +109,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index abd44c2998..c267e4587c 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1577,7 +1577,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 3cac24872a..823af29f0b 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -2132,7 +2132,7 @@ If you disable or do not configure this policy, users may choose their own site- > [!Note] > This policy is a list that contains the site and index value. -The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. +The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 8ff97003f8..276d6b2c9e 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -420,7 +420,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index c536cc66a5..b1594d5d38 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3588,7 +3588,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 99ad8fd29e..51f9efc4a5 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -664,7 +664,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 652e5979f3..bccb2e581b 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4859,7 +4859,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index fb505e937f..ec1d131e0d 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -148,7 +148,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. +Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. @@ -479,7 +479,7 @@ The following list shows the supported values: Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. -Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. +Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. @@ -747,7 +747,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index ffb4629d06..fa1b94e71a 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -239,10 +239,10 @@ The following list shows the supported values: - - - - + + + + diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index e889b3c61a..bbbecfc8b2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1846,7 +1846,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 7858f38c0e..42dc77dd56 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/27/2018 +ms.date: 01/14/2019 --- # Policy CSP - Storage @@ -24,6 +24,21 @@ ms.date: 08/27/2018
    Storage/AllowDiskHealthModelUpdates
    +
    + Storage/AllowStorageSenseGlobal +
    +
    + Storage/AllowStorageSenseTemporaryFilesCleanup +
    +
    + Storage/ConfigStorageSenseCloudContentDehydrationThreshold +
    +
    + Storage/ConfigStorageSenseGlobalCadence +
    +
    + Storage/ConfigStorageSenseRecycleBinCleanupThreshold +
    Storage/EnhancedStorageDevices
    @@ -73,8 +88,6 @@ ms.date: 08/27/2018 Added in Windows 10, version 1709. Allows disk health model updates. - - Value type is integer. @@ -97,6 +110,420 @@ The following list shows the supported values:
    + +**Storage/AllowStorageSenseGlobal** + + +
    [BitLocker CSP](bitlocker-csp.md)
    [BitLocker CSP](bitlocker-csp.md)
    cross markcheck mark1check mark1check mark1check mark1cross markcross markcross markcross mark check mark1 check mark1
    + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6
    + + + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy. + +If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy). + +If you disable this policy setting, the machine will turn off Storage Sense. Users cannot enable Storage Sense. + +If you do not configure this policy setting, Storage Sense is turned off by default until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. + + +ADMX Info: +- GP English name: *Allow Storage Sense* +- GP name: *SS_AllowStorageSenseGlobal* +- GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense* +- GP ADMX file name: *StorageSense.admx* + + + + + + + + + + + + + +
    + + +**Storage/AllowStorageSenseTemporaryFilesCleanup** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +When Storage Sense runs, it can delete the user’s temporary files that are not in use. + +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. + +If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use. Users cannot disable this setting in Storage settings. + +If you disable this policy setting, Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings. + +If you do not configure this policy setting, Storage Sense will delete the user’s temporary files by default. Users can configure this setting in Storage settings. + + + +ADMX Info: +- GP English name: *Allow Storage Sense Temporary Files cleanup* +- GP name: *SS_AllowStorageSenseTemporaryFilesCleanup* +- GP path: *System/StorageSense* +- GP ADMX file name: *StorageSense.admx* + + + + + + + + + + + + + +
    + + +**Storage/ConfigStorageSenseCloudContentDehydrationThreshold** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. + +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. + +If you enable this policy setting, you must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Supported values are: 0–365. + +If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content. + +If you disable or do not configure this policy setting, then Storage Sense will not dehydrate any cloud-backed content by default. Users can configure this setting in Storage settings. + + + +ADMX Info: +- GP English name: *Configure Storage Sense Cloud Content dehydration threshold* +- GP name: *SS_ConfigStorageSenseCloudContentDehydrationThreshold* +- GP path: *System/StorageSense* +- GP ADMX file name: *StorageSense.admx* + + + + + + + + + + + + + +
    + + + +**Storage/ConfigStorageSenseDownloadsCleanupThreshold** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +When Storage Sense runs, it can delete files in the user’s Downloads folder if they have been there for over a certain amount of days. + +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. + +If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Supported values are: 0–365. + +If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. + +If you disable or do not configure this policy setting, then Storage Sense will not delete files in the user’s Downloads folder by default. Users can configure this setting in Storage settings. + + + +ADMX Info: +- GP English name: *Configure Storage Storage Downloads cleanup threshold* +- GP name: *SS_ConfigStorageSenseDownloadsCleanupThreshold* +- GP path: *System/StorageSense* +- GP ADMX file name: *StorageSense.admx* + + + + + + + + + + + + + +
    + + +**Storage/ConfigStorageSenseGlobalCadence** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Storage Sense can automatically clean some of the user’s files to free up disk space. +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. + +If you enable this policy setting, you must provide the desired Storage Sense cadence. + +The following are supported options: + +- 1 – Daily +- 7 – Weekly +- 30 – Monthly +- 0 – During low free disk space + +The default is 0 (during low free disk space). + +If you do not configure this policy setting, then the Storage Sense cadence is set to “during low free disk space” by default. Users can configure this setting in Storage settings. + + + +ADMX Info: +- GP English name: *Configure Storage Sense cadence* +- GP name: *RemovableDisks_DenyWrite_Access_2* +- GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense* +- GP ADMX file name: *StorageSense.admx* + + + + + + + + + + + + + +
    + + +**Storage/ConfigStorageSenseRecycleBinCleanupThreshold** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. + +If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. + +If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365. + +If you set this value to zero, Storage Sense will not delete files in the user’s Recycle Bin. The default is 30 days. + +If you disable or do not configure this policy setting, Storage Sense will delete files in the user’s Recycle Bin that have been there for over 30 days by default. Users can configure this setting in Storage settings. + + + +ADMX Info: +- GP English name: *Configure Storage Sense Recycle Bin cleanup threshold* +- GP name: *SS_ConfigStorageSenseRecycleBinCleanupThreshold* +- GP path: *System/StorageSense* +- GP ADMX file name: *StorageSense.admx* + + + + + + + + + + + + + +
    + **Storage/EnhancedStorageDevices** @@ -221,6 +648,9 @@ ADMX Info: + + +
    Footnote: @@ -229,7 +659,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 8e9dd3ce58..e1751117bd 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -552,7 +552,9 @@ The following list shows the supported values: -Allow the device to send diagnostic and usage telemetry data, such as Watson. +Allow the device to send diagnostic and usage telemetry data, such as Watson. + +For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization). The following tables describe the supported values: @@ -1437,7 +1439,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 7001fe088f..e806cf4108 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -93,7 +93,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index e96eb5340c..a6403f3b61 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1334,7 +1334,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 17ee63877e..2e24ad1c47 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -188,6 +188,9 @@ ms.date: 08/29/2018 +
    +> [!NOTE] +> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
    @@ -3576,6 +3579,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 25ff1652b7..d8a9e0a74b 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1430,7 +1430,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 07a7954820..e75a0cf6de 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -286,7 +286,7 @@ ADMX Info: -Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. +Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index ef19b3d790..6e97992194 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2017 +ms.date: 01/16/2019 --- # SharedPC CSP @@ -27,18 +27,18 @@ The supported operation is Get. **EnableSharedPCMode** A boolean value that specifies whether Shared PC mode is enabled. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. Setting this value to True triggers the action to configure a device to Shared PC mode. -The default value is False. +The default value is Not Configured and SharedPC mode is not enabled. **SetEduPolicies** A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value changed to false in Windows 10, version 1703. This node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the default value is true and education environment is automatically configured when SharedPC mode is configured. +The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured. **SetPowerPolicies** Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode. @@ -46,9 +46,9 @@ Optional. A boolean value that specifies that the power policies should be set w > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is True. +The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True. **MaintenanceStartTime** Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. @@ -56,9 +56,9 @@ Optional. An integer value that specifies the daily start time of maintenance ho > [!Note] >  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is 0 (12 AM). +The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM). **SignInOnResume** Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. @@ -66,9 +66,9 @@ Optional. A boolean value that, when set to True, requires sign in whenever the > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is True. +The default value is Not Configured and its value in the SharedPC provisioning package is True. **SleepTimeout** The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. @@ -76,9 +76,9 @@ The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value changed to 300 in Windows 10, version 1703. The default value is 3600 in Windows 10, version 1607. +The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600. **EnableAccountManager** A boolean that enables the account manager for shared PC mode. @@ -86,9 +86,9 @@ A boolean that enables the account manager for shared PC mode. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is True. +The default value is Not Configured and its value in the SharedPC provisioning package is True. **AccountModel** Configures which type of accounts are allowed to use the PC. @@ -96,7 +96,7 @@ Configures which type of accounts are allowed to use the PC. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: @@ -104,13 +104,15 @@ The following list shows the supported values: - 1 - Only domain-joined accounts are enabled. - 2 - Domain-joined and guest accounts are allowed. +Its value in the SharedPC provisioning package is 1 or 2. + **DeletionPolicy** Configures when accounts are deleted. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. For Windows 10, version 1607, here is the list shows the supported values: @@ -123,17 +125,19 @@ For Windows 10, version 1703, here is the list of supported values: - 1 - Delete at disk space threshold - 2 - Delete at disk space threshold and inactive threshold +The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2. + **DiskLevelDeletion** Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The default value is 25. +The default value is Not Configured. Its default value in the SharedPC provisioning package is 25. -For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. +For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under half of the deletion threshold and disk space is very low, regardless of whether the PC is actively in use or not. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. **DiskLevelCaching** Sets the percentage of available disk space a PC should have before it stops deleting cached accounts. @@ -141,15 +145,16 @@ Sets the percentage of available disk space a PC should have before it stops del > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -The default value is 50. +The default value is Not Configured. The default value in the SharedPC provisioning package is 25. For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. +The supported operations are Add, Get, Replace, and Delete. **RestrictLocalStorage** Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. -Default value is true Value type is bool. Supported operations are Get and Replace. +The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. @@ -157,7 +162,7 @@ Default value is true Value type is bool. Supported operations are Get and Repla **KioskModeAUMID** Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. -Value type is string. Supported operations are Get and Replace. +Value type is string. Supported operations are Add, Get, Replace, and Delete. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. @@ -165,7 +170,7 @@ Value type is string. Supported operations are Get and Replace. **KioskModeUserTileDisplayText** Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. -Value type is string. Supported operations are Get and Replace. +Value type is string. Supported operations are Add, Get, Replace, and Delete. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. @@ -173,7 +178,9 @@ Value type is string. Supported operations are Get and Replace. **InactiveThreshold** Added in Windows 10, version 1703. Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. -Default value is 30. Value type is integer. Supported operations are Get and Replace. +The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +The default in the SharedPC provisioning package is 30. **MaxPageFileSizeMB** Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. @@ -181,9 +188,9 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -Default value is 1024. Value type is integer. Supported operations are Get and Replace. - +Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. +The default in the SharedPC provisioning package is 1024. ## Related topics diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 4bef8b6e80..fe6bdbb4ad 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -422,7 +422,11 @@ Reserved for future use. Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). **VPNv2/***ProfileName***/NativeProfile/Servers** -Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. + +The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. + +You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. Value type is chr. Supported operations include Get, Add, Replace, and Delete. diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md new file mode 100644 index 0000000000..349f5fce9f --- /dev/null +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -0,0 +1,280 @@ +--- +title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device +description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/11/2018 +--- + +# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device + +This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. + +## Causes of the Inaccessible_Boot_Device Stop error + +Any one of the following factors may cause the stop error: + +* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack + +* File system corruption + +* Changes to the storage controller mode or settings in the BIOS + +* Using a different storage controller than the one that was used when Windows was installed + +* Moving the hard disk to a different computer that has a different controller + +* A faulty motherboard or storage controller, or faulty hardware + +* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions + +* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) + +## Troubleshoot this error + +Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. + +1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). + +2. On the **Install Windows** screen, select **Next** > **Repair your computer** . + +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . + +### Verify that the boot disk is connected and accessible + +#### Step 1 + + At the WinRE Command prompt, run `diskpart`, and then run `list disk`. + +A list of the physical disks that are attached to the computer should be displayed and resemble the following display: + +``` + Disk ### Status Size Free Dyn Gpt + + -------- ------------- ------- ------- --- --- + + Disk 0 Online **size* GB 0 B * +``` + +If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT** column. + +If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. + +#### Step 2 + +If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`. + +`list vol` generates an output that resembles the following display: + +``` + Volume ### Ltr Label Fs Type Size Status Info + + ---------- --- ----------- ----- ---------- ------- --------- -------- + + Volume 0 Windows RE NTFS Partition 499 MB Healthy + + Volume 1 C OSDisk NTFS Partition 222 GB Healthy Boot + + Volume 2 SYSTEM FAT32 Partition 499 MB Healthy System +``` + +>[!NOTE] +>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. + +### Verify the integrity of Boot Configuration Database + +Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt. + +To verify the BCD entries: + +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. + + An example output if the computer is UEFI-based: + + ``` + device partition=\Device\HarddiskVolume2 + path \EFI\Microsoft\Boot\bootmgfw.efi + ``` + + An example output if the machine is BIOS based: + ``` + Device partition=C: + ``` + >[!NOTE] + >This output may not contain a path. + +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. + + >[!NOTE] + >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. + + ![bcdedit](images/screenshot1.png) + +If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . + +After the backup is completed, run the following command to make the changes: + +
    bcdedit /set *{identifier}* option value
    + +For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:` + + If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. + +If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. + +If the files are missing, and you want to rebuild the boot files, follow these steps: + +1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows: + +``` +D:\> Mkdir BootBackup +R:\> Copy *.* D:\BootBackup +``` + +2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: + + ```cmd + Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL + ``` + + For example: if we assign the ,System Drive> (WinRE drive) the letter R and the is the letter D, this command would be the following: + + ```cmd + Bcdboot D:\windows /s R: /f ALL + ``` + + >[!NOTE] + >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. + +If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: + +1. Start **Notepad** . + +2. Press Ctrl+O. + +3. Navigate to the system partition (in this example, it is R). + +4. Right-click the partition, and then format it. + +### Troubleshooting if this issue occurs after a Windows Update installation + +Run the following command to verify the Windows update installation and dates: + +```cmd +Dism /Image:: /Get-packages +``` + +After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages: + +![Dism output](images/pendingupdate.png) + +1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer. + + ![Dism output](images/revertpending.png) + +2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. + +3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. + +4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**. + +5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive + + ![Load Hive](images/loadhive.png) + +6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. + +7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. + + ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) + +8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive. + +9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value. + +10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. + +11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key. + +### Verifying boot critical drivers and services + +#### Check services + +1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.) + +2. Expand **Services**. + +3. Make sure that the following registry keys exist under **Services**: + + * ACPI + + * DISK + + * VOLMGR + + * PARTMGR + + * VOLSNAP + + * VOLUME + +If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**. + +If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: + +```cmd +cd OSdrive:\Windows\System32\config +ren SYSTEM SYSTEM.old +copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\ +``` + +#### Check upper and lower filter drivers + +Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: + +1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. + +2. Look for any **UpperFilters** or **LowerFilters** entries. + + >[!NOTE] + >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. + + The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : + +\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F} + +![Registry](images/controlset.png) + +If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value. + +>[!NOTE] +>There could be multiple entries. + +The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. + +>[!NOTE] +>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. + +### Running SFC and Chkdsk + + If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt: + +* `chkdsk /f /r OsDrive:` + + ![Check disk](images/check-disk.png) + +* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` + + ![SFC scannow](images/sfc-scannow.png) + diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md new file mode 100644 index 0000000000..184a70c8f0 --- /dev/null +++ b/windows/client-management/troubleshoot-networking.md @@ -0,0 +1,34 @@ +--- +title: Advanced troubleshooting for Windows networking +description: Learn how to troubleshoot networking +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +--- + +# Advanced troubleshooting for Windows networking + +The following topics are available to help you troubleshoot common problems related to Windows networking. + +- [Advanced troubleshooting for wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +- [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md) + - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md) +- [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) + - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) + - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) + - [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) + - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) + +## Concepts and technical references + +[802.1X authenticated wired access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
    +[802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
    +[Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
    +[TCP/IP technical reference](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
    +[Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)
    +[RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)
    +[How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)
    +[NPS reason codes](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
    \ No newline at end of file diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md new file mode 100644 index 0000000000..75df2a087d --- /dev/null +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -0,0 +1,575 @@ +--- +title: Advanced troubleshooting for Stop error or blue screen error issue +description: Learn how to troubleshoot Stop error or blue screen issues. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +--- + +# Advanced troubleshooting for Stop error or blue screen error issue + +>[!NOTE] +>If you're not a support agent or IT professional, you'll find more helpful information about Stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238). + + +## What causes Stop errors? + +A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers: + +- atikmpag.sys +- igdkmd64.sys +- nvlddmkm.sys + +There is no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed by third-party software. This includes video cards, wireless network cards, security programs, and so on. + +Our analysis of the root causes of crashes indicates the following: + +- 70 percent are caused by third-party driver code +- 10 percent are caused by hardware issues +- 5 percent are caused by Microsoft code +- 15 percent have unknown causes (because the memory is too corrupted to analyze) + +## General troubleshooting steps + +To troubleshoot Stop error messages, follow these general steps: + +1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem. +2. As a best practice, we recommend that you do the following: + + a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + + - [Windows 10, version 1809](https://support.microsoft.com/help/4464619) + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825) + - [Windows 10, version 1511](https://support.microsoft.com/help/4000824) + - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470) + - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469) + + b. Make sure that the BIOS and firmware are up-to-date. + + c. Run any relevant hardware and memory tests. + +3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions. + +4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. + +5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10 to 15 percent free disk space. + +6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: + + - The error message indicates that a specific driver is causing the problem. + - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. + - You have made any software or hardware changes. + + >[!NOTE] + >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service. + > + >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135) + > + >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071). + > + >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). + +### Memory dump collection + +To configure the system for memory dump files, follow these steps: + +1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip). +2. Extract the .zip file and navigate to **Source Code** folder. +3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**. +3. Select **Auto Config Kernel**. +4. Restart the computer for the setting to take effect. +5. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. +6. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs. + +The memory dump file is saved at the following locations. + +| Dump file type | Location | +|----------------|----------| +|(none) | %SystemRoot%\MEMORY.DMP (inactive, or greyed out) | +|Small memory dump file (256kb) | %SystemRoot%\Minidump | +|Kernel memory dump file | %SystemRoot%\MEMORY.DMP | +| Complete memory dump file | %SystemRoot%\MEMORY.DMP | +| Automatic memory dump file | %SystemRoot%\MEMORY.DMP | +| Active memory dump file | %SystemRoot%\MEMORY.DMP | + +You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: + +>[!video https://www.youtube.com/embed/xN7tOfgNKag] + +More information on how to use Dumpchk.exe to check your dump files: + +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) + +### Pagefile Settings + +- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) +- [How to determine the appropriate page file size for 64-bit versions of Windows](https://support.microsoft.com/help/2860880) +- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](https://support.microsoft.com/help/969028) + +### Memory dump analysis + +Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in a variety of symptoms. + +When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause. + +You can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs. The next section discusses how to use this tool. + +## Advanced troubleshooting steps + +>[!NOTE] +>Advanced troubleshooting of crash dumps can be very challenging if you are not experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below. + +### Advanced debugging references + +[Advanced Windows Debugging](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460)
    +[Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](https://docs.microsoft.com/windows-hardware/drivers/debugger/index) + +### Debugging steps + +1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. See the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump) for more information. +2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer. +3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk). +4. Start the install and choose **Debugging Tools for Windows**. This will install the WinDbg tool. +5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
    + a. If the computer is connected to the Internet, enter the [Microsoft public symbol server](https://docs.microsoft.com/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
    + b. If the computer is not connected to the Internet, you must specify a local [symbol path](https://docs.microsoft.com/en-in/windows-hardware/drivers/debugger/symbol-path). +6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. + ![WinDbg](images/windbg.png) +7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. +8. A detailed bugcheck analysis will appear. See the example below. + ![Bugcheck analysis](images/bugcheck-analysis.png) +9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. +10. See [Using the !analyze Exension](https://docs.microsoft.com/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output. + +There are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22: + +(HEX data is removed here and lines are numbered for clarity) + +``` +1 : nt!KeBugCheckEx +2 : nt!PspCatchCriticalBreak+0xff +3 : nt!PspTerminateAllThreads+0x1134cf +4 : nt!PspTerminateProcess+0xe0 +5 : nt!NtTerminateProcess+0xa9 +6 : nt!KiSystemServiceCopyEnd+0x13 +7 : nt!KiServiceLinkage +8 : nt!KiDispatchException+0x1107fe +9 : nt!KiFastFailDispatch+0xe4 +10 : nt!KiRaiseSecurityCheckFailure+0x3d3 +11 : ntdll!RtlpHpFreeWithExceptionProtection$filt$0+0x44 +12 : ntdll!_C_specific_handler+0x96 +13 : ntdll!RtlpExecuteHandlerForException+0xd +14 : ntdll!RtlDispatchException+0x358 +15 : ntdll!KiUserExceptionDispatch+0x2e +16 : ntdll!RtlpHpVsContextFree+0x11e +17 : ntdll!RtlpHpFreeHeap+0x48c +18 : ntdll!RtlpHpFreeWithExceptionProtection+0xda +19 : ntdll!RtlFreeHeap+0x24a +20 : FWPolicyIOMgr!FwBinariesFree+0xa7c2 +21 : mpssvc!FwMoneisDiagEdpPolicyUpdate+0x1584f +22 : mpssvc!FwEdpMonUpdate+0x6c +23 : ntdll!RtlpWnfWalkUserSubscriptionList+0x29b +24 : ntdll!RtlpWnfProcessCurrentDescriptor+0x105 +25 : ntdll!RtlpWnfNotificationThread+0x80 +26 : ntdll!TppExecuteWaitCallback+0xe1 +27 : ntdll!TppWorkerThread+0x8d0 +28 : KERNEL32!BaseThreadInitThunk+0x14 +29 : ntdll!RtlUserThreadStart+0x21 +``` + +The problem here is with **mpssvc** which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies. + +Additional examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article. + +## Video resources + +The following videos illustrate various troubleshooting techniques for analyzing dump files. + +- [Analyze Dump File](https://www.youtube.com/watch?v=s5Vwnmi_TEY) +- [Installing Debugging Tool for Windows (x64 and x86)](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive/player#time=22m29s:paused) +- [Debugging kernel mode crash memory dumps](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps) +- [Special Pool](https://www.youtube.com/watch?v=vHXYS9KdU1k) + +## Advanced troubleshooting using Driver Verifier + +We estimate that about 75 percent of all Stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception to let that part of the code be examined further. + +>[!WARNING] +>Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a Stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created. +> +>Don’t try to verify all the drivers at one time. This can degrade performance and make the system unusable. This also limits the effectiveness of the tool. + +Use the following guidelines when you use Driver Verifier: + +- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic). +- If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers. +- Enable concurrent verification on groups of 10 to 20 drivers. +- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode. + +For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier). + +## Common Windows Stop errors + +This section doesn't contain a list of all error codes, but since many error codes have the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error. + +The following table lists general troubleshooting procedures for common Stop error codes. + +Stop error message and code | Mitigation +--- | --- +VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
    Stop error code 0x00000141, or 0x00000117 | Contact the vendor of the listed display driver to get an appropriate update for that driver. +DRIVER_IRQL_NOT_LESS_OR_EQUAL
    Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys. +PAGE_FAULT_IN_NONPAGED_AREA
    Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup. +SYSTEM_SERVICE_EXCEPTION
    Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files). +NTFS_FILE_SYSTEM
    Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. +KMODE_EXCEPTION_NOT_HANDLED
    Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.

    If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:

    Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. +DPC_WATCHDOG_VIOLATION
    Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump. +USER_MODE_HEALTH_MONITOR
    Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process.Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
    Event ID: 4870
    Source: Microsoft-Windows-FailoverClustering
    Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action will be taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). + +## Debugging examples + +### Example 1 + +This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** will tell you the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. + +``` +2: kd> !analyze -v +******************************************************************************* +* * +* Bugcheck Analysis * +* * +******************************************************************************* + +DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) +An attempt was made to access a pageable (or completely invalid) address at an +interrupt request level (IRQL) that is too high. This is usually +caused by drivers using improper addresses. +If kernel debugger is available get stack backtrace. +Arguments: +Arg1: 000000000011092a, memory referenced +Arg2: 0000000000000002, IRQL +Arg3: 0000000000000001, value 0 = read operation, 1 = write operation +Arg4: fffff807aa74f4c4, address which referenced memory +Debugging Details: +------------------ + +KEY_VALUES_STRING: 1 +STACKHASH_ANALYSIS: 1 +TIMELINE_ANALYSIS: 1 +DUMP_CLASS: 1 +DUMP_QUALIFIER: 400 +SIMULTANEOUS_TELSVC_INSTANCES: 0 +SIMULTANEOUS_TELWP_INSTANCES: 0 +BUILD_VERSION_STRING: 16299.15.amd64fre.rs3_release.170928-1534 +SYSTEM_MANUFACTURER: Alienware +SYSTEM_PRODUCT_NAME: Alienware 15 R2 +SYSTEM_SKU: Alienware 15 R2 +SYSTEM_VERSION: 1.2.8 +BIOS_VENDOR: Alienware +BIOS_VERSION: 1.2.8 +BIOS_DATE: 01/29/2016 +BASEBOARD_MANUFACTURER: Alienware +BASEBOARD_PRODUCT: Alienware 15 R2 +BASEBOARD_VERSION: A00 +DUMP_TYPE: 2 +BUGCHECK_P1: 11092a +BUGCHECK_P2: 2 +BUGCHECK_P3: 1 +BUGCHECK_P4: fffff807aa74f4c4 +WRITE_ADDRESS: fffff80060602380: Unable to get MiVisibleState +Unable to get NonPagedPoolStart +Unable to get NonPagedPoolEnd +Unable to get PagedPoolStart +Unable to get PagedPoolEnd +000000000011092a +CURRENT_IRQL: 2 +FAULTING_IP: +NDIS!NdisQueueIoWorkItem+4 [minio\ndis\sys\miniport.c @ 9708] +fffff807`aa74f4c4 48895120 mov qword ptr [rcx+20h],rdx +CPU_COUNT: 8 +CPU_MHZ: a20 +CPU_VENDOR: GenuineIntel +CPU_FAMILY: 6 +CPU_MODEL: 5e +CPU_STEPPING: 3 +CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA'00000000 (cache) BA'00000000 (init) +BLACKBOXPNP: 1 (!blackboxpnp) +DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT +BUGCHECK_STR: AV +PROCESS_NAME: System +ANALYSIS_SESSION_HOST: SHENDRIX-DEV0 +ANALYSIS_SESSION_TIME: 01-17-2019 11:06:05.0653 +ANALYSIS_VERSION: 10.0.18248.1001 amd64fre +TRAP_FRAME: ffffa884c0c3f6b0 -- (.trap 0xffffa884c0c3f6b0) +NOTE: The trap frame does not contain all registers. +Some register values may be zeroed or incorrect. +rax=fffff807ad018bf0 rbx=0000000000000000 rcx=000000000011090a +rdx=fffff807ad018c10 rsi=0000000000000000 rdi=0000000000000000 +rip=fffff807aa74f4c4 rsp=ffffa884c0c3f840 rbp=000000002408fd00 +r8=ffffb30e0e99ea30 r9=0000000001d371c1 r10=0000000020000080 +r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +NDIS!NdisQueueIoWorkItem+0x4: +fffff807`aa74f4c4 48895120 mov qword ptr [rcx+20h],rdx ds:00000000`0011092a=???????????????? +Resetting default scope + +LAST_CONTROL_TRANSFER: from fffff800603799e9 to fffff8006036e0e0 + +STACK_TEXT: +ffffa884`c0c3f568 fffff800`603799e9 : 00000000`0000000a 00000000`0011092a 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx [minkernel\ntos\ke\amd64\procstat.asm @ 134] +ffffa884`c0c3f570 fffff800`60377d7d : fffff78a`4000a150 ffffb30e`03fba001 ffff8180`f0b5d180 00000000`000000ff : nt!KiBugCheckDispatch+0x69 [minkernel\ntos\ke\amd64\trap.asm @ 2998] +ffffa884`c0c3f6b0 fffff807`aa74f4c4 : 00000000`00000002 ffff8180`f0754180 00000000`00269fb1 ffff8180`f0754180 : nt!KiPageFault+0x23d [minkernel\ntos\ke\amd64\trap.asm @ 1248] +ffffa884`c0c3f840 fffff800`60256b63 : ffffb30e`0e18f710 ffff8180`f0754180 ffffa884`c0c3fa18 00000000`00000002 : NDIS!NdisQueueIoWorkItem+0x4 [minio\ndis\sys\miniport.c @ 9708] +ffffa884`c0c3f870 fffff800`60257bfd : 00000000`00000008 00000000`00000000 00000000`00269fb1 ffff8180`f0754180 : nt!KiProcessExpiredTimerList+0x153 [minkernel\ntos\ke\dpcsup.c @ 2078] +ffffa884`c0c3f960 fffff800`6037123a : 00000000`00000000 ffff8180`f0754180 00000000`00000000 ffff8180`f0760cc0 : nt!KiRetireDpcList+0x43d [minkernel\ntos\ke\dpcsup.c @ 1512] +ffffa884`c0c3fb60 00000000`00000000 : ffffa884`c0c40000 ffffa884`c0c39000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a [minkernel\ntos\ke\amd64\idle.asm @ 166] + +RETRACER_ANALYSIS_TAG_STATUS: Failed in getting KPCR for core 2 +THREAD_SHA1_HASH_MOD_FUNC: 5b59a784f22d4b5cbd5a8452fe39914b8fd7961d +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 5643383f9cae3ca39073f7721b53f0c633bfb948 +THREAD_SHA1_HASH_MOD: 20edda059578820e64b723e466deea47f59bd675 +FOLLOWUP_IP: +NDIS!NdisQueueIoWorkItem+4 [minio\ndis\sys\miniport.c @ 9708] +fffff807`aa74f4c4 48895120 mov qword ptr [rcx+20h],rdx +FAULT_INSTR_CODE: 20518948 +FAULTING_SOURCE_LINE: minio\ndis\sys\miniport.c +FAULTING_SOURCE_FILE: minio\ndis\sys\miniport.c +FAULTING_SOURCE_LINE_NUMBER: 9708 +FAULTING_SOURCE_CODE: + 9704: _In_ _Points_to_data_ PVOID WorkItemContext + 9705: ) + 9706: { + 9707: +> 9708: ((PNDIS_IO_WORK_ITEM)NdisIoWorkItemHandle)->Routine = Routine; + 9709: ((PNDIS_IO_WORK_ITEM)NdisIoWorkItemHandle)->WorkItemContext = WorkItemContext; + 9710: + 9711: IoQueueWorkItem(((PNDIS_IO_WORK_ITEM)NdisIoWorkItemHandle)->IoWorkItem, + 9712: ndisDispatchIoWorkItem, + 9713: CriticalWorkQueue, + +SYMBOL_STACK_INDEX: 3 +SYMBOL_NAME: NDIS!NdisQueueIoWorkItem+4 +FOLLOWUP_NAME: ndiscore +MODULE_NAME: NDIS +IMAGE_NAME: NDIS.SYS +DEBUG_FLR_IMAGE_TIMESTAMP: 0 +IMAGE_VERSION: 10.0.16299.99 +DXGANALYZE_ANALYSIS_TAG_PORT_GLOBAL_INFO_STR: Hybrid_FALSE +DXGANALYZE_ANALYSIS_TAG_ADAPTER_INFO_STR: GPU0_VenId0x1414_DevId0x8d_WDDM1.3_Active; +STACK_COMMAND: .thread ; .cxr ; kb +BUCKET_ID_FUNC_OFFSET: 4 +FAILURE_BUCKET_ID: AV_NDIS!NdisQueueIoWorkItem +BUCKET_ID: AV_NDIS!NdisQueueIoWorkItem +PRIMARY_PROBLEM_CLASS: AV_NDIS!NdisQueueIoWorkItem +TARGET_TIME: 2017-12-10T14:16:08.000Z +OSBUILD: 16299 +OSSERVICEPACK: 98 +SERVICEPACK_NUMBER: 0 +OS_REVISION: 0 +SUITE_MASK: 784 +PRODUCT_TYPE: 1 +OSPLATFORM_TYPE: x64 +OSNAME: Windows 10 +OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal +OS_LOCALE: +USER_LCID: 0 +OSBUILD_TIMESTAMP: 2017-11-26 03:49:20 +BUILDDATESTAMP_STR: 170928-1534 +BUILDLAB_STR: rs3_release +BUILDOSVER_STR: 10.0.16299.15.amd64fre.rs3_release.170928-1534 +ANALYSIS_SESSION_ELAPSED_TIME: 8377 +ANALYSIS_SOURCE: KM +FAILURE_ID_HASH_STRING: km:av_ndis!ndisqueueioworkitem +FAILURE_ID_HASH: {10686423-afa1-4852-ad1b-9324ac44ac96} +FAILURE_ID_REPORT_LINK: http://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=10686423-afa1-4852-ad1b-9324ac44ac96 +Followup: ndiscore +--------- +``` +### Example 2 + +In this example, a non-Microsoft driver caused page fault, so we don’t have symbols for this driver. However, looking at **IMAGE_NAME** and or **MODULE_NAME** indicates it’s **WwanUsbMP.sys** that caused the issue. Disconnecting the device and retrying the upgrade is a possible solution. + +``` + +1: kd> !analyze -v +******************************************************************************* +* * +* Bugcheck Analysis * +* * +******************************************************************************* + +PAGE_FAULT_IN_NONPAGED_AREA (50) +Invalid system memory was referenced. This cannot be protected by try-except. +Typically the address is just plain bad or it is pointing at freed memory. +Arguments: +Arg1: 8ba10000, memory referenced. +Arg2: 00000000, value 0 = read operation, 1 = write operation. +Arg3: 82154573, If non-zero, the instruction address which referenced the bad memory + address. +Arg4: 00000000, (reserved) + +Debugging Details: +------------------ + +*** WARNING: Unable to verify timestamp for WwanUsbMp.sys +*** ERROR: Module load completed but symbols could not be loaded for WwanUsbMp.sys + +KEY_VALUES_STRING: 1 +STACKHASH_ANALYSIS: 1 +TIMELINE_ANALYSIS: 1 +DUMP_CLASS: 1 +DUMP_QUALIFIER: 400 +BUILD_VERSION_STRING: 16299.15.x86fre.rs3_release.170928-1534 +MARKER_MODULE_NAME: IBM_ibmpmdrv +SYSTEM_MANUFACTURER: LENOVO +SYSTEM_PRODUCT_NAME: 20AWS07H00 +SYSTEM_SKU: LENOVO_MT_20AW_BU_Think_FM_ThinkPad T440p +SYSTEM_VERSION: ThinkPad T440p +BIOS_VENDOR: LENOVO +BIOS_VERSION: GLET85WW (2.39 ) +BIOS_DATE: 09/29/2016 +BASEBOARD_MANUFACTURER: LENOVO +BASEBOARD_PRODUCT: 20AWS07H00 +BASEBOARD_VERSION: Not Defined +DUMP_TYPE: 2 +BUGCHECK_P1: ffffffff8ba10000 +BUGCHECK_P2: 0 +BUGCHECK_P3: ffffffff82154573 +BUGCHECK_P4: 0 +READ_ADDRESS: 822821d0: Unable to get MiVisibleState +8ba10000 +FAULTING_IP: +nt!memcpy+33 [minkernel\crts\crtw32\string\i386\memcpy.asm @ 213 +82154573 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] +MM_INTERNAL_CODE: 0 +CPU_COUNT: 4 +CPU_MHZ: 95a +CPU_VENDOR: GenuineIntel +CPU_FAMILY: 6 +CPU_MODEL: 3c +CPU_STEPPING: 3 +CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 21'00000000 (cache) 21'00000000 (init) +BLACKBOXBSD: 1 (!blackboxbsd) +BLACKBOXPNP: 1 (!blackboxpnp) +DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT +BUGCHECK_STR: AV +PROCESS_NAME: System +CURRENT_IRQL: 2 +ANALYSIS_SESSION_HOST: SHENDRIX-DEV0 +ANALYSIS_SESSION_TIME: 01-17-2019 10:54:53.0780 +ANALYSIS_VERSION: 10.0.18248.1001 amd64fre +TRAP_FRAME: 8ba0efa8 -- (.trap 0xffffffff8ba0efa8) +ErrCode = 00000000 +eax=8ba1759e ebx=a2bfd314 ecx=00001d67 edx=00000002 esi=8ba10000 edi=a2bfe280 +eip=82154573 esp=8ba0f01c ebp=8ba0f024 iopl=0 nv up ei pl nz ac pe nc +cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216 +nt!memcpy+0x33: +82154573 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] +Resetting default scope +LOCK_ADDRESS: 8226c6e0 -- (!locks 8226c6e0) +Cannot get _ERESOURCE type +Resource @ nt!PiEngineLock (0x8226c6e0) Available +1 total locks +PNP_TRIAGE_DATA: + Lock address : 0x8226c6e0 + Thread Count : 0 + Thread address: 0x00000000 + Thread wait : 0x0 + +LAST_CONTROL_TRANSFER: from 82076708 to 821507e8 + +STACK_TEXT: +8ba0ede4 82076708 00000050 8ba10000 00000000 nt!KeBugCheckEx [minkernel\ntos\ke\i386\procstat.asm @ 114] +8ba0ee40 8207771e 8ba0efa8 8ba10000 8ba0eea0 nt!MiSystemFault+0x13c8 [minkernel\ntos\mm\mmfault.c @ 4755] +8ba0ef08 821652ac 00000000 8ba10000 00000000 nt!MmAccessFault+0x83e [minkernel\ntos\mm\mmfault.c @ 6868] +8ba0ef08 82154573 00000000 8ba10000 00000000 nt!_KiTrap0E+0xec [minkernel\ntos\ke\i386\trap.asm @ 5153] +8ba0f024 86692866 a2bfd314 8ba0f094 0000850a nt!memcpy+0x33 [minkernel\crts\crtw32\string\i386\memcpy.asm @ 213] +8ba0f040 866961bc 8ba0f19c a2bfd0e8 00000000 NDIS!ndisMSetPowerManagementCapabilities+0x8a [minio\ndis\sys\miniport.c @ 7969] +8ba0f060 866e1f66 866e1caf adfb9000 00000000 NDIS!ndisMSetGeneralAttributes+0x23d [minio\ndis\sys\miniport.c @ 8198] +8ba0f078 ac50c15f a2bfd0e8 0000009f 00000001 NDIS!NdisMSetMiniportAttributes+0x2b7 [minio\ndis\sys\miniport.c @ 7184] +WARNING: Stack unwind information not available. Following frames may be wrong. +8ba0f270 ac526f96 adfb9000 a2bfd0e8 8269b9b0 WwanUsbMp+0x1c15f +8ba0f3cc 866e368a a2bfd0e8 00000000 8ba0f4c0 WwanUsbMp+0x36f96 +8ba0f410 867004b0 a2bfd0e8 a2bfd0e8 a2be2a70 NDIS!ndisMInvokeInitialize+0x60 [minio\ndis\sys\miniport.c @ 13834] +8ba0f7ac 866dbc8e a2acf730 866b807c 00000000 NDIS!ndisMInitializeAdapter+0xa23 [minio\ndis\sys\miniport.c @ 601] +8ba0f7d8 866e687d a2bfd0e8 00000000 00000000 NDIS!ndisInitializeAdapter+0x4c [minio\ndis\sys\initpnp.c @ 931] +8ba0f800 866e90bb adfb64d8 00000000 a2bfd0e8 NDIS!ndisPnPStartDevice+0x118 [minio\ndis\sys\configm.c @ 4235] +8ba0f820 866e8a58 adfb64d8 a2bfd0e8 00000000 NDIS!ndisStartDeviceSynchronous+0xbd [minio\ndis\sys\ndispnp.c @ 3096] +8ba0f838 866e81df adfb64d8 8ba0f85e 8ba0f85f NDIS!ndisPnPIrpStartDevice+0xb4 [minio\ndis\sys\ndispnp.c @ 1067] +8ba0f860 820a7e98 a2bfd030 adfb64d8 8ba0f910 NDIS!ndisPnPDispatch+0x108 [minio\ndis\sys\ndispnp.c @ 2429] +8ba0f878 8231f07e 8ba0f8ec adf5d4c8 872e2eb8 nt!IofCallDriver+0x48 [minkernel\ntos\io\iomgr\iosubs.c @ 3149] +8ba0f898 820b8569 820c92b8 872e2eb8 8ba0f910 nt!PnpAsynchronousCall+0x9e [minkernel\ntos\io\pnpmgr\irp.c @ 3005] +8ba0f8cc 820c9a76 00000000 820c92b8 872e2eb8 nt!PnpSendIrp+0x67 [minkernel\ntos\io\pnpmgr\irp.h @ 286] +8ba0f914 8234577b 872e2eb8 adf638b0 adf638b0 nt!PnpStartDevice+0x60 [minkernel\ntos\io\pnpmgr\irp.c @ 3187] +8ba0f94c 82346cc7 872e2eb8 adf638b0 adf638b0 nt!PnpStartDeviceNode+0xc3 [minkernel\ntos\io\pnpmgr\start.c @ 1712] +8ba0f96c 82343c68 00000000 a2bdb3d8 adf638b0 nt!PipProcessStartPhase1+0x4d [minkernel\ntos\io\pnpmgr\start.c @ 114] +8ba0fb5c 824db885 8ba0fb80 00000000 00000000 nt!PipProcessDevNodeTree+0x386 [minkernel\ntos\io\pnpmgr\enum.c @ 6129] +8ba0fb88 8219571b 85852520 8c601040 8226ba90 nt!PiRestartDevice+0x91 [minkernel\ntos\io\pnpmgr\enum.c @ 4743] +8ba0fbe8 820804af 00000000 00000000 8c601040 nt!PnpDeviceActionWorker+0xdb4b7 [minkernel\ntos\io\pnpmgr\action.c @ 674] +8ba0fc38 8211485c 85852520 421de295 00000000 nt!ExpWorkerThread+0xcf [minkernel\ntos\ex\worker.c @ 4270] +8ba0fc70 82166785 820803e0 85852520 00000000 nt!PspSystemThreadStartup+0x4a [minkernel\ntos\ps\psexec.c @ 7756] +8ba0fc88 82051e07 85943940 8ba0fcd8 82051bb9 nt!KiThreadStartup+0x15 [minkernel\ntos\ke\i386\threadbg.asm @ 82] +8ba0fc94 82051bb9 8b9cc600 8ba10000 8ba0d000 nt!KiProcessDeferredReadyList+0x17 [minkernel\ntos\ke\thredsup.c @ 5309] +8ba0fcd8 00000000 00000000 00000000 00000000 nt!KeSetPriorityThread+0x249 [minkernel\ntos\ke\thredobj.c @ 3881] + + +RETRACER_ANALYSIS_TAG_STATUS: Failed in getting KPCR for core 1 +THREAD_SHA1_HASH_MOD_FUNC: e029276c66aea80ba36903e89947127118d31128 +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 012389f065d31c8eedd6204846a560146a38099b +THREAD_SHA1_HASH_MOD: 44dc639eb162a28d47eaeeae4afe6f9eeccced3d +FOLLOWUP_IP: +WwanUsbMp+1c15f +ac50c15f 8bf0 mov esi,eax +FAULT_INSTR_CODE: f33bf08b +SYMBOL_STACK_INDEX: 8 +SYMBOL_NAME: WwanUsbMp+1c15f +FOLLOWUP_NAME: MachineOwner +MODULE_NAME: WwanUsbMp +IMAGE_NAME: WwanUsbMp.sys +DEBUG_FLR_IMAGE_TIMESTAMP: 5211bb0c +DXGANALYZE_ANALYSIS_TAG_PORT_GLOBAL_INFO_STR: Hybrid_FALSE +DXGANALYZE_ANALYSIS_TAG_ADAPTER_INFO_STR: GPU0_VenId0x1414_DevId0x8d_WDDM1.3_NotActive;GPU1_VenId0x8086_DevId0x416_WDDM1.3_Active_Post; +STACK_COMMAND: .thread ; .cxr ; kb +BUCKET_ID_FUNC_OFFSET: 1c15f +FAILURE_BUCKET_ID: AV_R_INVALID_WwanUsbMp!unknown_function +BUCKET_ID: AV_R_INVALID_WwanUsbMp!unknown_function +PRIMARY_PROBLEM_CLASS: AV_R_INVALID_WwanUsbMp!unknown_function +TARGET_TIME: 2018-02-12T11:33:51.000Z +OSBUILD: 16299 +OSSERVICEPACK: 15 +SERVICEPACK_NUMBER: 0 +OS_REVISION: 0 +SUITE_MASK: 272 +PRODUCT_TYPE: 1 +OSPLATFORM_TYPE: x86 +OSNAME: Windows 10 +OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS +OS_LOCALE: +USER_LCID: 0 +OSBUILD_TIMESTAMP: 2017-09-28 18:32:28 +BUILDDATESTAMP_STR: 170928-1534 +BUILDLAB_STR: rs3_release +BUILDOSVER_STR: 10.0.16299.15.x86fre.rs3_release.170928-1534 +ANALYSIS_SESSION_ELAPSED_TIME: 162bd +ANALYSIS_SOURCE: KM +FAILURE_ID_HASH_STRING: km:av_r_invalid_wwanusbmp!unknown_function +FAILURE_ID_HASH: {31e4d053-0758-e43a-06a7-55f69b072cb3} +FAILURE_ID_REPORT_LINK: http://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=31e4d053-0758-e43a-06a7-55f69b072cb3 + +Followup: MachineOwner +--------- + +ReadVirtual: 812d1248 not properly sign extended +``` + +## References + +[Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2) diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md new file mode 100644 index 0000000000..ba947f741a --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -0,0 +1,109 @@ +--- +title: Troubleshoot TCP/IP connectivity +description: Learn how to troubleshoot TCP/IP connectivity. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot TCP/IP connectivity + +You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity. + +When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue. + +* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released. + +* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. + +* TCP reset is identified by the RESET flag in the TCP header set to `1`. + +A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed. + +The following sections describe some of the scenarios when you will see a RESET. + +## Packet drops + +When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection). + +The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. + +If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. + +Source side connecting on port 445: + +![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png) + +Destination side: applying the same filter, you do not see any packets. + +![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) + +For the rest of the data, TCP will retransmit the packets 5 times. + +**Source 192.168.1.62 side trace:** + +![Screenshot showing packet side trace](images/tcp-ts-8.png) + +**Destination 192.168.1.2 side trace:** + +You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network. + +If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop. + +## Incorrect parameter in the TCP header + +You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. + +In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. + + +## Application side reset + +When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset. + +The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. + +In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source. + +**Source Side** + +![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png) + +**On the destination-side trace** + +![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png) + +You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. + +![Screenshot of packet flag](images/tcp-ts-11.png) + +The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. + +>[!Note] +>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet + + +```typescript +10.10.10.1 10.10.10.2 UDP UDP:SrcPort=49875,DstPort=3343 + +10.10.10.2 10.10.10.1 ICMP ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343 +``` + + +During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet. + +```typescript +auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable +``` + +You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it. + +![Screenshot of Event Properties](images/tcp-ts-12.png) + +Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection. + +![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md new file mode 100644 index 0000000000..5863c1b847 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -0,0 +1,64 @@ +--- +title: Collect data using Network Monitor +description: Learn how to run Network Monitor to collect data for troubleshooting TCP/IP connectivity. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Collect data using Network Monitor + +In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. + +To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. + +![Adapters](images/nm-adapters.png) + +When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. + +**To capture traffic** + +1. Run netmon in an elevated status by choosing Run as Administrator. + + ![Image of Start search results for Netmon](images/nm-start.png) + +2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**. + + ![Image of the New Capture option on menu](images/tcp-ts-4.png) + +3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. + + ![Frame summary of network packets](images/tcp-ts-5.png) + +4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. + +The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. + +**Commonly used filters** + +- Ipv4.address=="client ip" and ipv4.address=="server ip" +- Tcp.port== +- Udp.port== +- Icmp +- Arp +- Property.tcpretranmits +- Property.tcprequestfastretransmits +- Tcp.flags.syn==1 + +>[!TIP] +>If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**. + +Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. + +## More information + +[Intro to Filtering with Network Monitor 3.0](https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/)
    +[Network Monitor Filter Examples](https://blogs.technet.microsoft.com/rmilne/2016/08/11/network-monitor-filter-examples/)
    +[Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)
    +[Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)
    +[Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)
    +[How to setup and collect network capture using Network Monitor tool](https://blogs.technet.microsoft.com/msindiasupp/2011/08/10/how-to-setup-and-collect-network-capture-using-network-monitor-tool/)
    diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md new file mode 100644 index 0000000000..8fb6da7063 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -0,0 +1,196 @@ +--- +title: Troubleshoot port exhaustion issues +description: Learn how to troubleshoot port exhaustion issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot port exhaustion issues + +TCP and UDP protocols work based on port numbers used for establishing connection. Any application or a service that needs to establish a TCP/UDP connection will require a port on its side. + +There are two types of ports: + +- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. +- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers. + +Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. + +In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. + +## Default dynamic port range for TCP/IP + +To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. + +You can view the dynamic port range on a computer by using the following netsh commands: + +- `netsh int ipv4 show dynamicport tcp` +- `netsh int ipv4 show dynamicport udp` +- `netsh int ipv6 show dynamicport tcp` +- `netsh int ipv6 show dynamicport udp` + + +The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. + +```cmd +netsh int set dynamic start=number num=range +``` + +The start port is number, and the total number of ports is range. The following are sample commands: + +- `netsh int ipv4 set dynamicport tcp start=10000 num=1000` +- `netsh int ipv4 set dynamicport udp start=10000 num=1000` +- `netsh int ipv6 set dynamicport tcp start=10000 num=1000` +- `netsh int ipv6 set dynamicport udp start=10000 num=1000` + +These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000. + +Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections. + +Since outbound connections start to fail, you will see a lot of the below behaviors: + +- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. + + ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png) + +- Group Policy update failures: + + ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png) + +- File shares are inaccessible: + + ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png) + +- RDP from the affected server fails: + + ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png) + +- Any other application running on the machine will start to give out errors + +Reboot of the server will resolve the issue temporarily, but you would see all the symptoms come back after a period of time. + +If you suspect that the machine is in a state of port exhaustion: + +1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step. + +2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: + + a. **Event ID 4227** + + ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png) + + b. **Event ID 4231** + + ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) + +3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. + + ![Screenshot of netstate command output](images/tcp-ts-20.png) + +After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + +You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + +>[!Note] +>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. +> +>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + +4. Open a command prompt in admin mode and run the below command + + ```cmd + Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl + ``` + +5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. + +## Troubleshoot Port exhaustion + +The key is to identify which process or application is using all the ports. Below are some of the tools that you can use to isolate to one single process + +### Method 1 + +Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: + +```Powershell +Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending +``` + +Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. + +For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. + +### Method 2 + +If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: + +1. Add a column called “handles” under details/processes. +2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe. + + ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png) + +3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. + +### Method 3 + +If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue. + +Steps to use Process explorer: + +1. [Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**. +2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**. +3. Select **View \ Show Lower Pane**. +4. Select **View \ Lower Pane View \ Handles**. +5. Click the **Handles** column to sort by that value. +6. Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections). +7. Click to highlight one of the processes with a high handle count. +8. In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles). + + File \Device\AFD + + ![Screenshot of Process Explorer](images/tcp-ts-22.png) + +10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. + +Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. + +As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: + +```cmd +netsh int ipv4 set dynamicport tcp start=10000 num=1000 +``` + +This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. + +>[!NOTE] +>Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports. + +For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. + +``` +@ECHO ON +set v=%1 +:loop +set /a v+=1 +ECHO %date% %time% >> netstat.txt +netstat -ano >> netstat.txt + +PING 1.1.1.1 -n 1 -w 60000 >NUL + +goto loop +``` + + + + +## Useful links + +- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status + +- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) + diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md new file mode 100644 index 0000000000..c747c000a8 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -0,0 +1,187 @@ +--- +title: Troubleshoot Remote Procedure Call (RPC) errors +description: Learn how to troubleshoot Remote Procedure Call (RPC) errors +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot Remote Procedure Call (RPC) errors + +You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error. + +![The following error has occurred: the RPC server is unavailable](images/rpc-error.png) + +This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. + +Before getting in to troubleshooting the **RPC server unavailable*- error, let’s first understand basics about the error. There are a few important terms to understand: + +- Endpoint mapper – a service listening on the server, which guides client apps to server apps by port and UUID. +- Tower – describes the RPC protocol, to allow the client and server to negotiate a connection. +- Floor – the contents of a tower with specific data like ports, IP addresses, and identifiers. +- UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many. +- Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you. +- Port – the communication endpoints for the client and server applications. +- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part. + +>[!Note] +> A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM. + +## How the connection works + +Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake. + +![Diagram illustrating connection to remote server](images/rpc-flow.png) + +RPC ports can be given from a specific range as well. +### Configure RPC dynamic port allocation + +Remote Procedure Call (RPC) dynamic port allocation is used by server applications and remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port in the range configured for TCP and UDP, based on the implementation of the operating system used. + +Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner. + +As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](https://support.microsoft.com/help/832017). +The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers. + +Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass. + +With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: + +**HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Entry name Data Type** + +**Ports REG_MULTI_SZ** + +- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid. + +**PortsInternetAvailable REG_SZ Y or N (not case-sensitive)** + +- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available. + +**UseInternetPorts REG_SZ ) Y or N (not case-sensitive)** + +- Specifies the system default policy. +- If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. +- If N, the processes using the default will be assigned ports from the set of intranet-only ports. + +**Example:** + +In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system. + +1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc + +2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). + + For example, the new registry key appears as follows: + Ports: REG_MULTI_SZ: 5000-6000 + PortsInternetAvailable: REG_SZ: Y + UseInternetPorts: REG_SZ: Y + +3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive. + +You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other. + +>[!Note] +>The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into a port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port range. + +>[!WARNING] +>If there is an error in the port configuration or there are insufficient ports in the pool, the Endpoint Mapper Service will not be able to register RPC servers with dynamic endpoints. When there is a configuration error, the error code will be 87 (0x57) ERROR_INVALID_PARAMETER. This can affect Windows RPC servers as well, such as Netlogon. It will log event 5820 in this case: +> +>Log Name: System +>Source: NETLOGON +>Event ID: 5820 +>Level: Error +>Keywords: Classic +>Description: +>The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.' + +If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/). + + +## Troubleshooting RPC error + +### PortQuery + +The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command: + +```cmd +Portqry.exe -n -e 135 +``` + +This would give you a lot of output to look for, but you should be looking for **ip_tcp*- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: + +```cmd +Portqry.exe -n 169.254.0.2 -e 135 +``` +Partial output below: + +>Querying target system called: +>169.254.0.2 +>Attempting to resolve IP address to a name... +>IP address resolved to RPCServer.contoso.com +>querying... +>TCP port 135 (epmap service): LISTENING +>Using ephemeral source port +>Querying Endpoint Mapper Database... +>Server's response: +>UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d +>ncacn_ip_tcp:169.254.0.10**[49664]** + + +The one in bold is the ephemeral port number that you made a connection to successfully. + +### Netsh + +You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation. + +- On the client +```cmd +Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes +``` + +- On the Server +```cmd +Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes +``` + +Now try to reproduce your issue from the client machine and as soon as you feel the issue has been reproduced, go ahead and stop the traces using the command +```cmd +Netsh trace stop +``` + +Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) or Message Analyzer and filter the trace for + +- Ipv4.address== and ipv4.address== and tcp.port==135 or just tcp.port==135 should help. + +- Look for the “EPM” Protocol Under the “Protocol” column. + +- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. + + ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png) + +- Check if we are connecting successfully to this Dynamic port successfully. + +- The filter should be something like this: tcp.port== and ipv4.address== + + ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png) + +This should help you verify the connectivity and isolate if any network issues are seen. + + +### Port not reachable + +The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. + +![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png) + +The port cannot be reachable due to one of the following reasons: + +- The dynamic port range is blocked on the firewall in the environment. +- A middle device is dropping the packets. +- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc). + + + diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md new file mode 100644 index 0000000000..f758b36a67 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip.md @@ -0,0 +1,20 @@ +--- +title: Advanced troubleshooting for TCP/IP issues +description: Learn how to troubleshoot TCP/IP issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Advanced troubleshooting for TCP/IP issues + +In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment. + +- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) +- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md new file mode 100644 index 0000000000..81c672993c --- /dev/null +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -0,0 +1,285 @@ +--- +title: Advanced troubleshooting for Windows-based computer freeze issues +description: Learn how to troubleshoot computer freeze issues. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +--- + +# Advanced troubleshooting for Windows-based computer freeze issues + +This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. + +> [!Note] +> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + +## Identify the problem + +* Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) +* What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) +* How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) +* On how many computers does this occur? (Example: All computers, only one computer, 10 computers, and so on.) + +## Troubleshoot the freeze issues + +To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. + +### For the computer that's still running in a frozen state + +If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: + +* Try to access the computer through Remote Desktop, Citrix, and so on. +* Use the domain account or local administrator account to log on the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). +* Test ping to the computer. Packet dropping and high network latency may be observed. +* Access administrative shares (\\\\**ServerName**\\c$). +* Press Ctrl + Alt + Delete command and check response. +* Try to use Remote Admin tools such as Computer Management, remote Server Manager, and Wmimgmt.msc. + +### For the computer that is no longer frozen + +If the physical computer or virtual machine froze but is now running in a good state, use one or more of the following methods for troubleshooting. + +#### For a physical computer + +* Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID: + + - Application event log : Application Error (suggesting Crash or relevant System Process) + - System Event logs, Service Control Manager Error event IDs for Critical System Services + - Error Event IDs 2019/2020 with source Srv/Server + +* Generate a System Diagnostics report by running the perfmon /report command. + +#### For a virtual machine + +* Review the System and Application logs from the computer that is having the issue. +* Generate a System Diagnostics report by running the perfmon /report command. +* Check history in virtual management monitoring tools. + + +## Collect data for the freeze issues + +To collect data for a server freeze, check the following table, and use one or more of the suggested methods. + +|Computer type and state |Data collection method | +|-------------------------|--------------------| +|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| +|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| +|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state).
    XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| +|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| + + +### Method 1: Memory dump + +> [!Note] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected. + +If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump. + +> [!Note] +> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. + + +1. Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: + + 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. + + 2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. + + 2. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. + + 3. In the **Write Debugging Information** section, select **Complete Memory Dump**. + + > [!Note] + > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD): + >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled** + + 4. Select **Overwrite any existing file**. + + 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). + + Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). + + 6. Make sure that there's more available space on the system drive than there is physical RAM. + +2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: + + 1. Go to Registry Editor, and then locate the following registry keys: + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + + - **Value Name**: `CrashOnCtrlScroll` + - **Data Type**: `REG_DWORD` + - **Value**: `1` + + 3. Exit Registry Editor. + + 4. Restart the computer. + +3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. + + To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. + + > [!Note] + > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). + +4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. + + > [!Note] + > By default, the dump file is located in the following path:
    + > %SystemRoot%\MEMORY.DMP + + +### Method 2: Data sanity check + +Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. + +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) + +Learn how to use Dumpchk.exe to check your dump files: + +> [!video https://www.youtube-nocookie.com/embed/xN7tOfgNKag] + + +### Method 3: Performance Monitor + +You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: + +```cmd +Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00 +``` + +```cmd +Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10 +``` + +Then, you can start or stop the log by running the following commands: + +```cmd +logman start LOGNAME_Long / LOGNAME_Short +logman stop LOGNAME_Long / LOGNAME_Short +``` + +The Performance Monitor log is located in the path: C:\PERFLOGS + +### Method 4: Microsoft Support Diagnostics + +1. In the search box of the [Microsoft Support Diagnostics Self-Help Portal](https://home.diagnostics.support.microsoft.com/selfhelp), type Windows Performance Diagnostic. + +2. In the search results, select **Windows Performance Diagnostic**, and then click **Create**. + +3. Follow the steps of the diagnostic. + + +### Additional methods to collect data + +#### Use memory dump to collect data for the physical computer that's running in a frozen state + +> [!Warning] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: + + +1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps: + > [!Note] + > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. + + 1. Try to access the desktop of the computer by any means. + + > [!Note] + > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured. + + 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: + + * ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` + + Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` + + On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` + + If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys). + + If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size. + + > [!Note] + > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). + + 3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. + + 4. Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. + +2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: + + 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + + **Value Name**: `CrashOnCtrlScroll` + **Data Type**: `REG_DWORD` + **Value**: `1` + + 3. Exit Registry Editor. + + 4. Restart the computer. + +3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. + > [!Note] + > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP + +### Use Pool Monitor to collect data for the physical computer that is no longer frozen + +Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. + +Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). + +### Use memory dump to collect data for the virtual machine that's running in a frozen state + +Use the one of the following methods for the application on which the virtual machine is running. + +#### Microsoft Hyper-V + +If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](https://docs.microsoft.com/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump. + +To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: + +```powershell +Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname +``` + +> [!Note] +> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section. + +#### VMware + +You can use VMware Snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. By using [Checkpoint To Core Tool (vmss2core)](https://labs.vmware.com/flings/vmss2core), you can convert both suspend (.vmss) and snapshot (.vmsn) state files to a dump file and then analyze the file by using the standard Windows debugging tools. + +#### Citrix XenServer + +The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177). + +## Space limitations on the system drive in Windows Server 2008 + +On Windows Server 2008, you may not have enough free disk space to generate a complete memory dump file on the system volume. There's a [hotfix](https://support.microsoft.com/help/957517) that allows for the data collection even though there isn't sufficient space on the system drive to store the memory dump file. + +Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028). + +For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md new file mode 100644 index 0000000000..47d03fef10 --- /dev/null +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -0,0 +1,19 @@ +--- +title: Advanced troubleshooting for Windows start-up issues +description: Learn how to troubleshoot Windows start-up issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: +--- + +# Advanced troubleshooting for Windows start-up issues + +In these topics, you will learn how to troubleshoot common problems related to Windows start-up. + +- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) +- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md) +- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 95e731061d..efb64966cc 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: mobile, devices, security ms.localizationpriority: medium author: AMeeus -ms.date: 09/21/2017 +ms.date: 01/26/2019 --- # Windows 10 Mobile deployment and management guide @@ -460,7 +460,7 @@ Some device-wide settings for managing VPN connections can help you manage VPNs *Applies to: Corporate and personal devices* -Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The device encryption in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. +Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it. diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index c212eae7d8..f6620bd9c5 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,45 +7,77 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: medium -ms.date: 11/08/2017 --- -# Top support solutions for Windows 10 + +# Troubleshoot Windows 10 clients + +This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 clients. Additional topics will be added as they become available. + +## Troubleshooting support topics + +- [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
    + - [Advanced troubleshooting wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
    + - [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
    + - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
    + - [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
    + - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
    + - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
    + - [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
    + - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
    +- [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
    + - [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
    + - [Advanced troubleshooting for Windows-based computer issues](troubleshoot-windows-freeze.md)
    + - [Advanced troubleshooting for stop errors or blue screen errors](troubleshoot-stop-errors.md)
    + - [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
    + +## Windows 10 update history Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: -- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) -- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) -- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) +- [Windows 10 version 1809 update history](https://support.microsoft.com/help/4464619) +- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479) +- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454) +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124) +- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825) +- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824) These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. -## Solutions related to installing Windows updates or hotfixes -- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users) -- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) -- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog) -- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) -- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) -- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates) -- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017) -- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server) +## Solutions related to installing Windows Updates + +- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works) +- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs) +- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting) +- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors) +- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources) + +## Solutions related to installing or upgrading Windows + +- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes) +- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures) +- [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) + +## Solutions related to BitLocker + +- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) +- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) +- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) ## Solutions related to Bugchecks or Stop Errors - [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) - [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) - [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) -- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/) -- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/) +- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) + + +## Solutions related to Windows Boot issues +- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769) +- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) -## Solutions related to installing or upgrading Windows -- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) -- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) -- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) -- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) -- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) -- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) -- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) -- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633) ## Solutions related to configuring or managing the Start menu - [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) @@ -57,7 +89,8 @@ These are the top Microsoft Support solutions for the most common issues experie - [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) ## Solutions related to wireless networking and 802.1X authentication - +- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) +- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication) +- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) +- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) - [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) -- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149) -- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164) diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index a99249bc6b..54bb8122b7 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -15,7 +15,7 @@ ms.date: 04/30/2018 To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties -Click **Start** > **Settings** > **Settings** > click **About** from the bottom of the left-hand menu +Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index b0498ec09f..6be8931eeb 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -31,7 +31,7 @@ #### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) #### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) #### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) -#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) +#### [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) ## [Configure Windows Spotlight on the lock screen](windows-spotlight.md) ## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) ## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) @@ -42,6 +42,7 @@ ### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) ### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) ### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +### [Troubleshoot Start menu errors](start-layout-troubleshoot.md) ### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) ## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md) ### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index d7be6815e1..52fa2a92d0 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -17,7 +17,20 @@ ms.date: 11/07/2018 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. -## Novermber 2018 +## February 2019 + +New or changed topic | Description +--- | --- +[Set up a single-app kiosk](kiosk-single-app.md) | Replaced instructions for Microsoft Intune with a link to the Intune documentation. +[Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) | Replaced instructions for Intune with a link to the Intune documentation. + +## January 2019 + +New or changed topic | Description +--- | --- +[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added how to connect to a single-app kiosk in a virtual machine (VM) for testing. + +## November 2018 New or changed topic | Description --- | --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 78e5022926..48db68727b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,10 +4,9 @@ description: The world’s first personal digital assistant helps users get thin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: eross-msft +author: lizap ms.localizationpriority: medium -ms.author: lizross -ms.date: 10/05/2017 +ms.author: elizapo --- # Cortana integration in your business or enterprise @@ -57,8 +56,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro ## See also - [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) -- [Cortana and Windows](https://go.microsoft.com/fwlink/?LinkId=717384) - - [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index abe019f76c..e66228ba49 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -35,9 +35,8 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "jdecker", - "ms.date": "04/05/2017", - "feedback_system": "GitHub", + "ms.author": "jdecker", + "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index e047635740..071c89831a 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -1,24 +1,24 @@ --- title: Find the Application User Model ID of an installed app -description: In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.assetid: BD8BD003-887D-4EFD-9C7A-A68AB895D8CD -author: alhopper-msft -ms.author: alhopper -ms.date: 05/02/2017 +description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. +author: jdeckerms +ms.author: jdecker ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.localizationpriority: medium --- # Find the Application User Model ID of an installed app -In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry. +To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry. -## To identify the AUMID of an installed app by using Windows PowerShell +## To find the AUMID by using Windows PowerShell -At a Windows PowerShell command prompt, type the following commands to list the AUMIDs for all Microsoft Store apps installed for the current user on your device: +To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command: + +```powershell +get-StartApps +``` + +To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands: ```powershell $installedapps = get-AppxPackage @@ -37,7 +37,19 @@ $aumidList You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. -## To identify the AUMID of an installed app for the current user by using the registry +## To find the AUMID by using File Explorer + +To get the names and AUMIDs for all apps installed for the current user, perform the following steps: + +1. Open **Run**, enter **shell:Appsfolder**, and select **OK**. + +2. A File Explorer window opens. Press **Alt** > **View** > **Choose details**. + +3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) + +![Image of the Choose Details options](images/aumid-file-explorer.png) + +## To find the AUMID of an installed app for the current user by using the registry Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. diff --git a/windows/configuration/images/aumid-file-explorer.png b/windows/configuration/images/aumid-file-explorer.png new file mode 100644 index 0000000000..87bc7166a3 Binary files /dev/null and b/windows/configuration/images/aumid-file-explorer.png differ diff --git a/windows/configuration/images/start-ts-1.png b/windows/configuration/images/start-ts-1.png new file mode 100644 index 0000000000..ca04fc7f77 Binary files /dev/null and b/windows/configuration/images/start-ts-1.png differ diff --git a/windows/configuration/images/start-ts-2.png b/windows/configuration/images/start-ts-2.png new file mode 100644 index 0000000000..56e1ff05d1 Binary files /dev/null and b/windows/configuration/images/start-ts-2.png differ diff --git a/windows/configuration/images/start-ts-3.png b/windows/configuration/images/start-ts-3.png new file mode 100644 index 0000000000..e62bb90aa2 Binary files /dev/null and b/windows/configuration/images/start-ts-3.png differ diff --git a/windows/configuration/images/start-ts-4.png b/windows/configuration/images/start-ts-4.png new file mode 100644 index 0000000000..71316899fd Binary files /dev/null and b/windows/configuration/images/start-ts-4.png differ diff --git a/windows/configuration/images/start-ts-5.jpg b/windows/configuration/images/start-ts-5.jpg new file mode 100644 index 0000000000..61292cac4b Binary files /dev/null and b/windows/configuration/images/start-ts-5.jpg differ diff --git a/windows/configuration/images/start-ts-6.png b/windows/configuration/images/start-ts-6.png new file mode 100644 index 0000000000..d124d38fed Binary files /dev/null and b/windows/configuration/images/start-ts-6.png differ diff --git a/windows/configuration/images/start-ts-7.png b/windows/configuration/images/start-ts-7.png new file mode 100644 index 0000000000..0c85959912 Binary files /dev/null and b/windows/configuration/images/start-ts-7.png differ diff --git a/windows/configuration/images/vm-kiosk-connect.png b/windows/configuration/images/vm-kiosk-connect.png new file mode 100644 index 0000000000..2febd9d573 Binary files /dev/null and b/windows/configuration/images/vm-kiosk-connect.png differ diff --git a/windows/configuration/images/vm-kiosk.png b/windows/configuration/images/vm-kiosk.png new file mode 100644 index 0000000000..59f01c1348 Binary files /dev/null and b/windows/configuration/images/vm-kiosk.png differ diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 9675c42d2c..56411e9638 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -31,7 +31,7 @@ Topic | Description [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. +[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index a142517a28..e0121dbd6c 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms -ms.date: 07/30/2018 --- # Configure kiosks and digital signs on Windows desktop editions @@ -16,7 +15,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t | | | --- | --- - | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

    When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

    A single-app kiosk is ideal for public use.

    (Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

    When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

    A single-app kiosk is ideal for public use.

    (Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

    A multi-app kiosk is appropriate for devices that are shared by multiple people.

    When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. @@ -30,6 +29,9 @@ There are several kiosk configuration methods that you can choose from, dependin ![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. ![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + +>[!IMPORTANT] +>Single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. ## Methods for a single-app kiosk running a UWP app @@ -47,7 +49,7 @@ You can use this method | For this edition | For this kiosk account type You can use this method | For this edition | For this kiosk account type --- | --- | --- [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD -[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD @@ -68,7 +70,7 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X -[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 3a810a03ce..8eef8af221 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -61,7 +61,7 @@ Remove All Programs list from the Start Menu | Enabled – Remove and disable s Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 7932dafc17..515e4fa81f 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/09/2019 --- # Prepare a device for kiosk configuration @@ -23,15 +23,21 @@ ms.date: 10/02/2018 > >Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +>[!IMPORTANT] +>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + +## Configuration recommendations For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: Recommendation | How to --- | --- -Hide update notifications
    (New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
    -or-
    Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
    -or-
    Add the following registry keys as DWORD (32-bit) type:
    `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. +Hide update notifications
    (New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
    -or-
    Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
    -or-
    Add the following registry keys as DWORD (32-bit) type:
    `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

    `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled` Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. @@ -231,4 +237,17 @@ The following table describes some features that have interoperability issues we + +## Testing your kiosk in a virtual machine (VM) +Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly. + +A single-app kiosk kiosk configuration runs an app above the lockscreen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. + +When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. + +![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png) + +To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. + +![Do not select connect button, use close X in corner](images/vm-kiosk-connect.png) diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 02c0137f83..e928698268 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -36,7 +36,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt -### Requirements +## Requirements >[!WARNING] >- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. @@ -50,7 +50,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt [See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) -### Configure Shell Launcher +## Configure Shell Launcher To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 4af964b132..64a3ca542a 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/09/2018 +ms.date: 01/09/2019 --- # Set up a single-app kiosk @@ -24,6 +24,11 @@ ms.date: 10/09/2018 --- | --- A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

    When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) +>[!IMPORTANT] +>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + You have several options for configuring your single-app kiosk. Method | Description @@ -233,30 +238,14 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des > >Account type: Local standard user, Azure AD -![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. >[!TIP] >Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Single app kiosk**. -1. Enter the user account (Azure AD or a local standard user account). -11. Enter the Application User Model ID for an installed app. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. +To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For other MDM services, see the documentation for your provider. diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md similarity index 64% rename from windows/configuration/multi-app-kiosk-troubleshoot.md rename to windows/configuration/kiosk-troubleshoot.md index d724cae559..321d899394 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot multi-app kiosk (Windows 10) +title: Troubleshoot kiosk mode issues (Windows 10) description: Tips for troubleshooting multi-app kiosk configuration. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions"] @@ -9,19 +9,34 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 10/09/2018 ms.author: jdecker ms.topic: article --- -# Troubleshoot multi-app kiosk +# Troubleshoot kiosk mode issues **Applies to** - Windows 10 -## Unexpected results +## Single-app kiosk issues + +>[!TIP] +>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem. + +### Sign-in issues + +1. Verify that User Account Control (UAC) is turned on. +2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. + +### Automatic logon issues + +Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. + +## Multi-app kiosk issues + +### Unexpected results For example: - Start is not launched in full-screen @@ -39,17 +54,17 @@ For example: ![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) -## Automatic logon issues +### Automatic logon issues Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. -## Apps configured in AllowedList are blocked +### Apps configured in AllowedList are blocked 1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. 2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**). -## Start layout not as expected +### Start layout not as expected - Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid. - Check if the apps included in the Start layout are installed for the assigned access user. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 46423972f4..b927ef5c8e 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/09/2019 ms.author: jdecker ms.topic: article --- @@ -39,34 +39,14 @@ New features and improvements | In update You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). + + + ## Configure a kiosk in Microsoft Intune -1. [Generate the Start layout for the kiosk device.](#startlayout) -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Kiosk (Preview)** for the profile type. -9. Select **Kiosk - 1 setting available**. -10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. -12. Enter a friendly name for the configuration. -10. In **Kiosk Mode**, select **Multi app kiosk**. -13. Select an app type. - - For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**. - - For **Add managed apps**, select an app that you manage through Intune. - - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app. -14. Select whether to enable the taskbar. -15. Browse to and select the Start layout XML file that you generated in step 1. -16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available. -17. Select **OK**. You can add additional configurations or finish. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - ->[!NOTE] ->Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. +To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows). ## Configure a kiosk using a provisioning package @@ -175,7 +155,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). -- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). +- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: @@ -315,7 +295,7 @@ The following example hides the taskbar: ``` >[!IMPORTANT] ->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information. +>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information. #### Configs @@ -399,7 +379,7 @@ Before applying the multi-app configuration, make sure the specified user accoun Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied. ```xml @@ -416,7 +396,7 @@ Group accounts are specified using ``. Nested groups are not supporte ``` -- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. +- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. ```xml @@ -619,7 +599,7 @@ Remove All Programs list from the Start Menu | Enabled – Remove and disable s Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. @@ -671,4 +651,4 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont ## Other methods -Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index bc3b5d3544..93605b8aea 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -38,7 +38,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

    [Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

    -N/A +[HORM](https://docs.microsoft.com/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)

    HORM is supported in Windows 10, version 1607 and later.

    diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index db1036262f..7729761c95 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -68,6 +68,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design ## Current Windows Configuration Designer limitations +- Windows Configuration Designer will not work properly if the Group Policy setting **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** is enabled. We recommend that you run Windows Configuration Designer on a different device, rather than change the security setting. - You can only run one instance of Windows Configuration Designer on your computer at a time. diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index a4e515d653..aa66879976 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -89,7 +89,7 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) -- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For example, open PowerShell as an administrator and enter the following: +- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: ``` $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md new file mode 100644 index 0000000000..635ee7e17a --- /dev/null +++ b/windows/configuration/start-layout-troubleshoot.md @@ -0,0 +1,313 @@ +--- +title: Troubleshoot Start menu errors +description: Troubleshoot common errors related to Start menu in Windows 10. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.author: kaushika +author: kaushika-msft +ms.localizationpriority: medium +ms.date: 12/03/18 +--- + +# Troubleshoot Start Menu errors + +Start failures can be organized into these categories: + +- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover. +- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources. +- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](https://docs.microsoft.com/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data. +- **Hangs** in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario. +- **Other issues** - Customization, domain policies, deployment issues. + +## Basic troubleshooting + +When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they are not working as expected. When experiencing issues where the Start Menu or sub-component are not working, there are some quick tests to narrow down where the issue may reside. + +### Check the OS and update version + +- Is the system running the latest Feature and Cumulative Monthly update? +- Did the issue start immediately after an update? Ways to check: + - Powershell:[System.Environment]::OSVersion.Version + - WinVer from CMD.exe + + + +### Check if Start is installed + +- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully. + +- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this is to look for output from these two PS commands: + + - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` + - `get-AppXPackage -Name Microsoft.Windows.Cortana` + + ![Example of output from cmdlets](images/start-ts-1.png) + + Failure messages will appear if they are not installed + +- If Start is not installed the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there is a choice to save to delete user data), or restoring from backup. There is no supported method to install Start Appx files. The results are often problematic and unreliable. + +### Check if Start is running + +If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications. +- `get-process -name shellexperiencehost` +- `get-process -name searchui` + +If it is installed but not running, test booting into safe mode or use MSCONFIG to eliminate 3rd party or additional drivers and applications. + +### Check whether the system a clean install or upgrade + +- Is this system an upgrade or clean install? + - Run `test-path "$env:windir\panther\miglog.xml"` + - If that file does not exist, the system is a clean install. +- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"` + + +### Check if Start is registered or activated + +- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet: + - Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana + - "Package was not found" + - "Invalid value for registry" + - "Element not found" + - "Package could not be registered" + +If these events are found, Start is not activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary. + +### Other things to consider + +When did this start? + +- Top issues for Start Menu failure are triggered + - After an update + - After installation of an application + - After joining a domain or applying a domain policy +- Many of those issues are found to be + - Permission changes on Registry keys or folders + - Start or related component crashes or hangs + - Customization failure + +To narrow this down further, it's good to note: + +- What is the install background? + - Was this a deployment, install from media, other + - Using customizations? + - DISM + - Group Policy or MDM + - copyprofile + - Sysprep + - Other + +- Domain-joined + - Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance. + - Some Group Policies intended for Windows 7 or older have been known to cause issues with Start + - Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures. + +- Is this a virtualized environment? + - VMware + - Citrix + - Other + +## Check Event logs that record Start Issues: + +- System Event log +- Application Event log +- Microsoft/Windows/Shell-Core* +- Microsoft/Windows/Apps/ +- Microsoft-Windows-TWinUI* +- Microsoft/Windows/AppReadiness* +- Microsoft/Windows/AppXDeployment* +- Microsoft-Windows-PushNotification-Platform/Operational +- Microsoft-Windows-CoreApplication/Operational +- Microsoft-Windows-ShellCommon-StartLayoutPopulation* +- Microsoft-Windows-CloudStore* + + +- Check for crashes that may be related to Start (explorer.exe, taskbar, etc) + - Application log event 1000, 1001 + - Check WER reports + - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\ + - C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\ + +If there is a component of Start that is consistently crashing, capture a dump which can be reviewed by Microsoft Support. + +## Common errors and mitigation + +The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them. + +### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016 + +**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service is not started. + +**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC. + +If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key are not disabled or deleted. If either are missing, restore from backup or the installation media. + +To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following: + +>SERVICE_NAME: pdc +>TYPE : 1 KERNEL_DRIVER +>STATE : 4 RUNNING +> (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) +>WIN32_EXIT_CODE : 0 (0x0) +>SERVICE_EXIT_CODE : 0 (0x0) +>CHECKPOINT : 0x0 +>WAIT_HINT : 0x0 + +The PDC service uses pdc.sys located in the %WinDir%\system32\drivers. + +The PDC registry key is: +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc` +**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101" +**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100" +**ErrorControl**=dword:00000003 +**Group**="Boot Bus Extender" +**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\ + 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\ + 00,73,00,00,00 +**Start**=dword:00000000 +**Type**=dword:00000001 + +In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC does not load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu. +Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC should not be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu. + +>[!NOTE] +>You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p). + + +### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work + +**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply. + +**Resolution**: This issue was resolved in the June 2017 updates. Please update Windows 10, version 1607 to the latest cumulative or feature updates. + +>[!Note] +>When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**. + + +### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start Menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted + +![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png) + +**Cause**: This is a known issue where the first-time logon experience is not detected and does not trigger the install of some Apps. + +**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334) + +### Symptom: When attempting to customize Start Menu layout, the customizations do not apply or results are not expected + +**Cause**: There are two main reasons for this issue: + +- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format. + - To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log. + - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. + - When editing the xml file, it should be saved in UTF-8 format. + +- Unexpected information: This occurs when possibly trying to add a tile via unexpected or undocumented method. + - **Event ID: 64** is logged when the xml is valid but has unexpected values. + - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema. + +XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy + +### Symptom: Start menu no longer works after a PC is refreshed using F12 during start up + +**Description**: If a user is having problems with a PC, is can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at start up. Refreshing the PC finishes, but Start Menu is not accessible. + +**Cause**: This is a known issue and has been resolved in a cumulative update released August 30th 2018. + +**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142). + +### Symptom: The All Apps list is missing from Start menu + +**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled. + +**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy. + +### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout + +**Description**: There are two different Start Menu issues in Windows 10: +- Administrator configured tiles in the start layout fail to roam. +- User-initiated changes to the start layout are not roamed. + +Specifically, behaviors include + - Applications (apps or icons) pinned to the start menu are missing. + - Entire tile window disappears. + - The start button fails to respond. + - If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing. + + +![Example of a working layout](images/start-ts-3.png) + +*Working layout on first sign-in of a new roaming user profile* + +![Example of a failing layout](images/start-ts-4.png) + +*Failing layout on subsequent sign-ins* + + +**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower. + +**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429). + + +### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703 + +**Description**: + +Before the upgrade: + + ![Example of Start screen with customizations applied](images/start-ts-5.jpg) + +After the upgrade the user pinned tiles are missing: + + ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png) + +Additionally, users may see blank tiles if logon was attempted without network connectivity. + + ![Example of blank tiles](images/start-ts-7.png) + + +**Resolution**: This is fixed in [October 2017 update](https://support.microsoft.com/en-us/help/4041676). + +### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown + +**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on. + +### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep + +**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml. + +### Symptom: Start Menu issues with Tile Data Layer corruption + +**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. + +**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed. + +1. The App or Apps work fine when you click on the tiles. +2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information. +3. The app is missing, but listed as installed via Powershell and works if you launch via URI. + - Example: `windows-feedback://` +4. In some cases, Start can be blank, and Action Center and Cortana do not launch. + +>[!Note] +>Corruption recovery removes any manual pins from Start. Apps should still be visible, but you’ll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didn’t work. + +- Open a command prompt, and run the following command: + +``` +C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache +``` + +Although a reboot is not required, it may help clear up any residual issues after the command is run. + + + + + + + + + + + + diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 301f4a7b07..de3fecb42b 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -47,7 +47,7 @@ You’ll need to deploy a settings storage location, a standard network share wh **Create a network share** -1. Create a new security group and add UE-V users to it. +1. Create a new security group and add UE-V users to the group. 2. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. @@ -80,7 +80,7 @@ For evaluation purposes, enable the service on at least two devices that belong The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `Register-UevTemplate [TemplateName]` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. For instance, to register all built-in UE-V templates, use the following PowerShell Command: -'Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}' +`Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}` A storage path must be configured on the client-side to tell where the personalized settings are stored. diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 8a119cf39e..f91ada9764 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -35,10 +35,10 @@ When replacing a user’s device, UE-V automatically restores settings if the us You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell: ``` syntax -Restore-UevBackup -Machine +Restore-UevBackup -ComputerName ``` -where <MachineName> is the computer name of the device. +where <ComputerName> is the computer name of the device. Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile. diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 585fe8822f..eea5619b50 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:

    Microsoft PowerPoint 2016

    Microsoft Project 2016

    Microsoft Publisher 2016

    -

    Microsoft SharePoint Designer 2013 (not udpated for 2016)

    +

    Microsoft SharePoint Designer 2013 (not updated for 2016)

    Microsoft Visio 2016

    Microsoft Word 2016

    Microsoft Office Upload Manager

    diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 70a65ed02e..b245647edf 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -50,7 +50,7 @@ Use to configure device management settings. | ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports | | **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server | | **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account | -| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | +| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | | UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device | | UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication | @@ -90,4 +90,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS). ## Related topics - [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp) -- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) \ No newline at end of file +- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index d3dbe83cdf..e2bdada785 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -8,121 +8,10 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 12/18/2018 --- # HotSpot (Windows Configuration Designer reference) -Use HotSpot settings to configure Internet sharing. - -## Applies to - -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | X | | | | - ->[!NOTE] ->Although the HotSpot settings are available in advanced editing for multiple editions, the settings are only supported on devices running Windows 10 Mobile. - -## DedicatedConnections - -(Optional) Set DedicatedConnections to a semicolon-separated list of connections. - -Specifies the list of Connection Manager cellular connections that Internet sharing will use as public connections. - -By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections. - -Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. - -The mapping policy will also include the connection specified in the TetheringNAIConnection value as well. - - If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share. - - - -## Enabled - -Specify **True** to enable Internet sharing on the device or **False** to disable Internet sharing. - -If Enabled is initially set to **True**, the feature is turned off and the internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible. - -When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on. - -## EntitlementDll - -Enter the path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operator's network. - -## EntitlementInterval - -Enter the time interval, in seconds, between entitlement checks. - -## EntitlementRequired - -Specify whether the device requires an entitlement check to determine if Internet sharing should be enabled. - -## MaxBluetoothUsers - -(Optional) Specify the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. Set MaxBluetoothUsers to an integer value between 1 and 7 inclusive. The default value is 7. - - -## MaxUsers - -(Optional) Specify the maximum number of simultaneous users that can be connected to a device while sharing. Set MaxUsers to an integer value between 1 and 8 inclusive. The default value is 5. - - -## MOAppLink - -(Optional) Enter an application link that points to a pre-installed application, provided by the mobile operator. that will help a user to subscribe to the mobile operator's Internet sharing service when Internet sharing is not provisioned or entitlement fails. - -Set MOAppLink to a valid app ID. The general format for the link is *app://MOappGUID*. For example, if your app ID is `12345678-9012-3456-7890-123456789012`, you must set the value to `app://12345678-9012-3456-7890-123456789012`. - - -## MOHelpMessage - -(Optional) Enter a reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form: - -``` -@,- -``` - -Where `` is the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx). - -## MOHelpNumber - -(Optional) Enter a mobile operator–specified phone number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help. - - - -## MOInfoLink - -(Optional) Enter a mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature. - -## PeerlessTimeout - -(Optional) Enter the time-out period, in minutes, after which Internet sharing should automatically turn off if there are no active clients. - -Set PeerlessTimeout to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes. - -## PublicConnectionTimeout - -(Optional) Enter the time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. - -Set PublicConnectionTimeout to any value between 1 and 60 inclusive. The default value is 20 minutes. A value of 0 is not supported. - - -## TetheringNAIConnection - -(Optional) Specify the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. Set TetheringNAIConnection to the CDMA TetheringNAI Connection Manager cellular connection. - -If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node. - -Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.The mapping policy will also include the connection specified in the TetheringNAIConnection value as well. - -If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share. - ->[!NOTE] ->CDMA phones are limited to one active data connection at a time. This means any application or service (such as e-mail or MMS) that is bound to another connection may not work while Internet sharing is turned on. - - - +Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](#wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/cosa-overview). diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 6ddc8bd462..c3a9c02907 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -45,7 +45,7 @@ This section describes the settings that you can configure in [provisioning pack | [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X | | [FirstExperience](wcd-firstexperience.md) | | | | X | | | [Folders](wcd-folders.md) |X | X | X | X | | -| [HotSpot](wcd-hotspot.md) | X | X | X | X | X | +| [HotSpot](wcd-hotspot.md) | | | | | | | [InitialSetup](wcd-initialsetup.md) | | X | | | | | [InternetExplorer](wcd-internetexplorer.md) | | X | | | | | [KioskBrowser](wcd-kioskbrowser.md) | | | | | X | diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index aa375d690f..13cf82c872 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -2,7 +2,7 @@ ## [Deploy Windows 10 with Microsoft 365](deploy-m365.md) ## [What's new in Windows 10 deployment](deploy-whats-new.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) - +## [Windows Autopilot](windows-autopilot/windows-autopilot.md) ## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) ### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) ### [Configure VDA for Subscription Activation](vda-subscription-activation.md) @@ -19,13 +19,14 @@ ## [Deploy Windows 10](deploy.md) -### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) -### [Windows 10 in S mode](s-mode.md) -#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) +### [Windows Autopilot](windows-autopilot/windows-autopilot.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Windows 10 volume license media](windows-10-media.md) +### [Windows 10 in S mode](s-mode.md) +#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) + ### [Windows 10 deployment test lab](windows-10-poc.md) #### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) #### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) @@ -212,9 +213,10 @@ ### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md) ## [Update Windows 10](update/index.md) -### [Quick guide to Windows as a service](update/waas-quick-start.md) -#### [Servicing stack updates](update/servicing-stack-updates.md) -### [Overview of Windows as a service](update/waas-overview.md) +### [Windows as a service](update/windows-as-a-service.md) +#### [Quick guide to Windows as a service](update/waas-quick-start.md) +##### [Servicing stack updates](update/servicing-stack-updates.md) +#### [Overview of Windows as a service](update/waas-overview.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index a70b584daf..c1d98d727b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -73,7 +73,7 @@ For more information about integrating on-premises AD DS domains with Azure AD, ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users @@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c ### Review requirements on devices -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. **To determine if a device is Azure Active Directory joined:** diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index f45a135986..e0c769d5e0 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm, M365 ms.localizationpriority: medium -ms.date: 11/06/2018 author: greg-lindsay --- @@ -19,7 +18,7 @@ author: greg-lindsay This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. -[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). +[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview. For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: @@ -53,10 +52,14 @@ Examples of these two deployment advisors are shown below. ## Windows Analytics deployment advisor example ![Windows Analytics deployment advisor](images/wada.png) +## M365 Enterprise poster + +[![M365 Enterprise poster](images/m365e.png)](http://aka.ms/m365eposter) + ## Related Topics [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
    -[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) +[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index be1e1f9ea7..c4c072ca4f 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,6 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 11/06/2018 author: greg-lindsay --- @@ -16,17 +15,32 @@ author: greg-lindsay **Applies to** - Windows 10 - ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. -- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index). +- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/en-us/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). +## Recent additions to this page + +[SetupDiag](#setupdiag) 1.4 is released.
    +[MDT](#microsoft-deployment-toolkit-mdt) 8456 is released.
    +New [Windows Autopilot](#windows-autopilot) content is available.
    +The [Microsoft 365](#microsoft-365) section was added. + ## The Modern Desktop Deployment Center -The [Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. +The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. + +## Microsoft 365 + +Microsoft 365 is a new offering from Microsoft that combines +- Windows 10 +- Office 365 +- Enterprise Mobility and Security (EMS). + +See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). ## Windows 10 servicing and support @@ -51,6 +65,14 @@ Windows Autopilot streamlines and automates the process of setting up and config Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). +Recent Autopilot content includes new instructions for CSPs and OEMs on how to [obtain and use customer authorization](windows-autopilot/registration-auth.md) to register Windows Autopilot devices on the customer’s behalf. + +### SetupDiag + +[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + +SetupDiag version 1.4 was released on 12/18/2018. + ### Upgrade Readiness The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. @@ -61,7 +83,7 @@ The development of Upgrade Readiness has been heavily influenced by input from t For more information about Upgrade Readiness, see the following topics: -- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/) - [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) @@ -88,19 +110,16 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). ### Microsoft Deployment Toolkit (MDT) -MDT build 8443 is available, including support for: -- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016. -- The Windows ADK for Windows 10, version 1607. -- Integration with Configuration Manager version 1606. +MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019. -For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/windows/dn475741). +For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/en-us/sccm/mdt/). ### Windows Assessment and Deployment Kit (ADK) The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: -- [What's new in ADK kits and tools](https://msdn.microsoft.com/windows/hardware/commercialize/what-s-new-in-kits-and-tools) +- [What's new in ADK kits and tools](https://docs.microsoft.com/en-us/windows-hardware/get-started/what-s-new-in-kits-and-tools) - [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) @@ -136,9 +155,7 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra [Overview of Windows as a service](update/waas-overview.md)
    [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -
    [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) +
    [Windows 10 release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information)
    [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
    [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
    [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) - - \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 3e14e9d06e..29c8f9e1d9 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -76,7 +76,7 @@ This section will show you how to populate the MDT deployment share with the Win MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. ->[!OTE]   +>[!NOTE]   >Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.   ### Add Windows 10 Enterprise x64 (full source) @@ -134,8 +134,8 @@ You also can customize the Office installation using a Config.xml file. But we r Figure 5. The Install - Microsoft Office 2013 Pro Plus - x86 application properties. - **Note**   - If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft. + >[!NOTE]  + >If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft.   3. In the Office Customization Tool dialog box, select the Create a new Setup customization file for the following product option, select the Microsoft Office Professional Plus 2013 (32-bit) product, and click OK. 4. Use the following settings to configure the Office 2013 setup to be fully unattended: @@ -156,8 +156,8 @@ You also can customize the Office installation using a Config.xml file. But we r - In the **Microsoft Office 2013** node, expand **Privacy**, select **Trust Center**, and enable the Disable Opt-in Wizard on first run setting. 5. From the **File** menu, select **Save**, and save the configuration as 0\_Office2013ProPlusx86.msp in the **E:\\MDTBuildLab\\Applications\\Install - Microsoft Office 2013 Pro Plus - x86\\Updates** folder. - **Note**   - The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates. + >[!NOTE]  + >The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates.   6. Close the Office Customization Tool, click Yes in the dialog box, and in the **Install - Microsoft Office 2013 Pro Plus - x86 Properties** window, click **OK**. @@ -333,8 +333,8 @@ The steps below walk you through the process of editing the Windows 10 referenc 2. Select the operating system for which roles are to be installed: Windows 10 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) - **Important**   - This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + >[!IMPORTANT] + >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.   ![figure 7](../images/fig8-cust-tasks.png) @@ -456,8 +456,8 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which Figure 12. The boot image rules for the MDT Build Lab deployment share. - **Note**   - For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. + >[!NOTE]   + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation.   4. In the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -514,8 +514,8 @@ So, what are these settings? - **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. - **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you. - **Note**   - Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. + >[!WARNING]   + >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.   - **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index e722db5465..0b6ae0597d 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -37,7 +37,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "greglin", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/deployment/images/m365e.png b/windows/deployment/images/m365e.png new file mode 100644 index 0000000000..2f3ea14906 Binary files /dev/null and b/windows/deployment/images/m365e.png differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 0161bd05b1..9e17a20e8b 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -49,6 +49,7 @@ sections: [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments. [What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. + [Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure. [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. @@ -60,7 +61,7 @@ sections: Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
     
    - + diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index fe64501dab..0c87d5a683 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 08/31/2018 +ms.date: 11/16/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1809 @@ -32,7 +32,7 @@ We're removing the following features and functionalities from the installed pro |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).| +|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| ## Features we’re no longer developing diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index b79237a3e1..7dcb96facc 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -1,7 +1,7 @@ --- title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: medium diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 839fe5301c..4c54a99d29 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -7,8 +7,8 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 10/02/2018 -author: Mikeblodge +ms.date: 12/05/2018 +author: jaimeo --- # Windows 10 in S mode - What is it? @@ -19,7 +19,7 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update ## S mode key features **Microsoft-verified security** -With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware. +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. **Performance that lasts** @@ -27,15 +27,23 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E **Choice and flexibility** -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Home, Pro, or Enterprise at any time and search the web for more choices, as shown below. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. ![Switching out of S mode flow chart](images/s-mode-flow-chart.png) ## Deployment -Windows 10 S mode is built for [Modern Management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Auto Pilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). The best way to start using an S mode device is to embrace Modern Management fully when designing the deployment plan. Windows Auto Pilot allows you to deploy the deivce directly to the employee without having to touch the physical device. Instead of manually deploying a custom image to a machine, Windows Auto Pilot will start with a generic PC that can only be used to join the company domain; Polices are then deployed automatically through Modern Device Management. -![Windows auto pilot work flow](images/autopilotworkflow.png) +Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. + +## Keep line of business apps functioning with Desktop Bridge + +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. + +## Repackage Win32 apps into the MSIX format + +The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode. + ## Related links diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 25bcd0d27e..822409ea0f 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -1,12 +1,11 @@ --- title: Monitor the health of devices with Device Health -description: You can use Device Health in OMS to monitor the frequency and causes of crashes and misbehaving apps on devices in your network. +description: You can use Device Health in Azure Portal to monitor the frequency and causes of crashes and misbehaving apps on devices in your network. keywords: oms, operations management suite, wdav, health, log analytics ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium -ms.date: 11/14/2017 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -18,9 +17,9 @@ ms.author: jaimeo Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. -Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +Like Upgrade Readiness and Update Compliance, Device Health is a solution built in Azure Portal, a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your Azure Portal workspace for its use. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) . -Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. +Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the Azure Portal solution gallery and add it to your Azure Portal workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. Device Health provides the following: @@ -58,7 +57,7 @@ The Device Health architecture and data flow is summarized by the following five **(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
    **(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
    -**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your OMS workspace.
    +**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your Azure Portal workspace.
    **(4)** Diagnostic data is available in the Device Health solution.
    **(5)** You are now able to proactively monitor Device Health issues in your environment.
    diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 890e0c33bb..26da341d39 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -5,7 +5,6 @@ ms.prod: w10 ms.mktglfcycl: deploy keywords: oms, operations management suite, wdav, health, log analytics ms.sitesec: library -ms.date: 03/30/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -29,7 +28,7 @@ Device Health provides the following benefits: >[!NOTE] >Information is refreshed daily so that health status can be monitored. Changes will be displayed about 24-48 hours after their occurrence, so you always have a recent snapshot of your devices. -In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. +In Azure Portal, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. ## Device Reliability @@ -260,16 +259,16 @@ In this chart view, you can click a particular app listing, which will open addi Here you can copy the WipAppid and use that for adjusting the WIP policy. -## Data model and OMS built-in extensibility +## Data model and built-in extensibility All of the views and blades display slices of the most useful data by using pre-formed queries. You have access to the full set of data collected by Device Health, which means you can construct your own queries to expose any data that is of interest to you. For documentation on working with log searches, see [Find data using log searches](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). This topic section provides information about the data types being populated specifically by Device Health. ### Example queries -You can run these queries from the OMS **Log Search** interface (available at several points in the Device Health interface) by just typing them in. There are few details to be aware of: +You can run these queries from the Azure Portal **Log Search** interface (available at several points in the Device Health interface) by just typing them in. There are few details to be aware of: - After running a query, make sure to set the date range (which appears upper left after running initial query) to "7 days" to ensure you get data back. -- If you see the search tutorial dialog appearing frequently, it's likely because you are have read-only access to the OMS workspace. Ask a workspace administrator to grant you "contributor" permissions (which is required for the "completed tutorial" state to persist). +- If you see the search tutorial dialog appearing frequently, it's likely because you are have read-only access to the Azure Portal workspace. Ask a workspace administrator to grant you "contributor" permissions (which is required for the "completed tutorial" state to persist). - If you use the search filters in the left pane, you might notice there is no control to undo a filter selection. To undo a selection, delete the (FilterName="FilterValue") element that is appended to the search query and then click the search button again. For example, after you run a base query of *Type = DHOSReliability KernelModeCrashCount > 0*, a number of filter options appear on the left. If you then filter on **Manufacturer** (for example, by setting *Manufacturer="Microsoft Corporation"* and then clicking **Apply**), the query will change to *Type = DHOSReliability KernelModeCrashCount > 0 (Manufacturer="Microsoft Corporation")*. Delete *(Manufacturer="Microsoft Corporation")* and then click the **search** button again to re-run the query without that filter. ### Device reliability query examples @@ -300,7 +299,7 @@ You can run these queries from the OMS **Log Search** interface (available at se ### Exporting data and configuring alerts -OMS enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set. +Azure Portal enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set. diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index e360ba20b9..4a2aa72c67 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,6 +1,6 @@ --- -title: Windows 10 - How to make FoDs and language packs available when you're using WSUS/SCCM -description: Learn how to make FoDs and language packs available for updates when you're using WSUS/SCCM. +title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM +description: Learn how to make FoD and language packs available when you're using WSUS/SCCM ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,10 +14,10 @@ ms.date: 10/18/2018 > Applies to: Windows 10 -As of Windows 10, version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) and language packs for Windows 10 clients. Instead, you can pull them directly from Windows Update - you just need to change a Group Policy setting that lets clients download these directly from Windows Update. You can also host Features on Demand and language packs on a network share, but starting with Windows 10, version 1809, language packs can only be installed from Windows Update. +As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, language packs can only be installed from Windows Update. -For Active Directory and Group Policy environments running in a WSUS\SCCM environment change the **Specify settings for optional component installation and component repair** policy to enable downloading Features on Demand directly from Windows Update or a local share. This setting is located in Computer Configuration\Administrative Templates\System in the Group Policy Editor. - -Changing this policy only enables Features on Demand and language pack downloads from Windows Update - it doesn't affect how clients get feature and quality updates. Feature and quality updates will continue to come directly from WSUS\SCCM. It also doesn't affect the schedule for your clients to receive updates. +For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading language and FOD packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor. -Learn about other client management options, including using Group Policy and ADMX, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). +Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them. + +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/images/champs-2.png b/windows/deployment/update/images/champs-2.png new file mode 100644 index 0000000000..bb87469a35 Binary files /dev/null and b/windows/deployment/update/images/champs-2.png differ diff --git a/windows/deployment/update/images/champs.png b/windows/deployment/update/images/champs.png new file mode 100644 index 0000000000..ea719bc251 Binary files /dev/null and b/windows/deployment/update/images/champs.png differ diff --git a/windows/deployment/update/images/deploy-land.png b/windows/deployment/update/images/deploy-land.png new file mode 100644 index 0000000000..bf104b6843 Binary files /dev/null and b/windows/deployment/update/images/deploy-land.png differ diff --git a/windows/deployment/update/images/discover-land.png b/windows/deployment/update/images/discover-land.png new file mode 100644 index 0000000000..8f9e30ce10 Binary files /dev/null and b/windows/deployment/update/images/discover-land.png differ diff --git a/windows/deployment/update/images/ignite-land.jpg b/windows/deployment/update/images/ignite-land.jpg new file mode 100644 index 0000000000..7d0837af47 Binary files /dev/null and b/windows/deployment/update/images/ignite-land.jpg differ diff --git a/windows/deployment/update/images/plan-land.png b/windows/deployment/update/images/plan-land.png new file mode 100644 index 0000000000..7569da7ac1 Binary files /dev/null and b/windows/deployment/update/images/plan-land.png differ diff --git a/windows/deployment/update/images/security-only-update.png b/windows/deployment/update/images/security-only-update.png new file mode 100644 index 0000000000..9ed3d0f791 Binary files /dev/null and b/windows/deployment/update/images/security-only-update.png differ diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png new file mode 100644 index 0000000000..cb79ff70be Binary files /dev/null and b/windows/deployment/update/images/servicing-cadence.png differ diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png new file mode 100644 index 0000000000..0914b555ba Binary files /dev/null and b/windows/deployment/update/images/servicing-previews.png differ diff --git a/windows/deployment/update/images/video-snip.PNG b/windows/deployment/update/images/video-snip.PNG new file mode 100644 index 0000000000..35317ee027 Binary files /dev/null and b/windows/deployment/update/images/video-snip.PNG differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 420b02b8a3..ba2f9a130f 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -7,7 +7,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 09/24/2018 +ms.date: 11/29/2018 --- # Servicing stack updates @@ -15,35 +15,38 @@ ms.date: 09/24/2018 **Applies to** -- Windows 10 +- Windows 10, Windows 8.1, Windows 8, Windows 7 ## What is a servicing stack update? -The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. +Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. ## Why should servicing stack updates be installed and kept up to date? -Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. Servicing stack updates improve the reliability and performance of the update process. +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. ## When are they released? -Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. +Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." + +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). ## What's the difference between a servicing stack update and a cumulative update? -Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. -However, there are some operating system fixes that aren’t included in a cumulative update but are still pre-requisites for the cumulative update. That is, the component that performs the actual updates sometimes itself requires an update. Those fixes are available in a servicing stack update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. +Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. -If a given cumulative update required a servicing stack update, you'll see that information in the release notes for the update. **If you try to install the cumulative update without installing the servicing stack update, you'll get an error.** ## Is there any special guidance? -Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. +Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. + +Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. ## Installation notes * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/search?query=servicing%20stack%20update%20Windows%2010). - +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index c29062acb5..0f4e2d8cdc 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/04/2018 keywords: oms, operations management suite, optimization, downloads, updates, log analytics ms.localizationpriority: medium --- diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 658f351965..d3eae3a9f1 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 10/04/2018 --- # Feature Update Status diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 0d73747fed..cd036990aa 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,6 +1,6 @@ --- title: Get started with Update Compliance (Windows 10) -description: Configure Update Compliance in OMS to see the status of updates and antimalware protection on devices in your network. +description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav ms.prod: w10 ms.mktglfcycl: deploy @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 10/04/2018 ms.localizationpriority: medium --- diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 25fac89570..97a514dde4 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,6 +1,6 @@ --- title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) -description: You can use Update Compliance in OMS to monitor the progress of updates and key antimalware protection features on devices in your network. +description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 10/04/2018 ms.localizationpriority: medium --- @@ -34,12 +33,12 @@ See the following topics in this guide for detailed information about configurin ## Update Compliance architecture -The Update Compliance architecture and data flow is summarized by the following five-step process: +The Update Compliance architecture and data flow is summarized by the following four-step process: -**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
    -**(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
    -**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
    -**(4)** Diagnostic data is available in the Update Compliance solution.
    +1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
    +2. Diagnostic data is analyzed by the Update Compliance Data Service.
    +3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
    +4. Diagnostic data is available in the Update Compliance solution.
    >[!NOTE] @@ -51,4 +50,4 @@ The Update Compliance architecture and data flow is summarized by the following ## Related topics [Get started with Update Compliance](update-compliance-get-started.md)
    -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 8f21da95f6..0b76b9c8ac 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 10/04/2018 --- # Needs attention! diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index e3fe9c0bb9..38ad846be7 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -5,9 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: jaimeo +ms.author: jaimeo --- # Perspectives diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index bf7d1d6795..45556de62c 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 10/04/2018 --- # Security Update Status diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index d9b61d93cf..a30c60418b 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/04/2018 ms.localizationpriority: medium --- @@ -78,7 +77,7 @@ This means you should generally expect to see new data every 24-36 hours, except ## Using Log Analytics -Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. See below for a few topics related to Log Analytics: * Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index aaf6b63c0c..bc12b6797b 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/04/2018 --- # Windows Defender AV Status diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0b00273fa8..e4efb40317 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -7,7 +7,6 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 --- # Configure Windows Update for Business @@ -17,13 +16,11 @@ ms.date: 06/01/2018 - Windows 10 - Windows 10 Mobile +- Windows Server 2016 +- Windows Server 2019 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -40,83 +37,73 @@ By grouping devices with similar deferral periods, administrators are able to cl >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). -## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). + +## Configure devices for the appropriate service channel + +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). **Release branch policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | +| MDM for Windows 10, version 1607 or later:
    ../Vendor/MSFT/Policy/Config/Update/
    **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | -Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**. +Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**. ![Branch readiness level setting](images/waas-wufb-settings-branch.jpg) >[!NOTE] >Users will not be able to change this setting if it was configured by policy. ->[!IMPORTANT] ->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). -## Configure when devices receive Feature Updates +## Configure when devices receive feature updates -After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. ->[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. -> ->You can only defer up to 180 days prior to version 1703. +For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. -**Examples** - -| Settings | Scenario and behavior | -| --- | --- | -| Device is on CB
    DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. | -| Device is on CBB
    DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |

    -**Defer Feature Updates policies** +**Policy settings for deferring feature updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| GPO for Windows 10, version 1607 later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | >[!NOTE] ->If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can defer feature updates by using **Settings > Update & security > Windows Update > Advanced options**. -## Pause Feature Updates +## Pause feature updates -You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. +You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. >[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. > ->Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates. +>In Windows 10, version 1703 and later versions, you can pause feature updates to 35 days, similar to the number of days for quality updates. -**Pause Feature Updates policies** +**Policy settings for pausing feature updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -125,58 +112,58 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda | 2 | Feature Updates have auto-resumed after being paused | >[!NOTE] ->If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. -With version 1703, pausing through the settings app will provide a more consistent experience: -- Any active restart notification are cleared or closed -- Any pending restarts are canceled -- Any pending update installations are canceled -- Any update installation running when pause is activated will attempt to rollback +Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: +- Any active restart notification are cleared or closed. +- Any pending restarts are canceled. +- Any pending update installations are canceled. +- Any update installation running when pause is activated will attempt to roll back. ## Configure when devices receive Quality Updates -Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. -You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. +You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. >[!IMPORTANT] >This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise. -**Defer Quality Updates policies** +**Policy settings for deferring quality updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | >[!NOTE] ->If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can defer quality updates by using **Settings > Update & security > Windows Update > Advanced options**. -## Pause Quality Updates +## Pause quality updates -You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again. +You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. ->[!IMPORTANT] ->This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise. +>[!NOTE] +>Starting with Windows 10, version 1809, IT administrators can prevent individual users from pausing updates. -**Pause Quality Updates policies** +**Policy settings for pausing quality updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
    **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
    **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -185,21 +172,22 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda | 2 | Quality Updates have auto-resumed after being paused | >[!NOTE] ->If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. -With version 1703, pausing through the settings app will provide a more consistent experience: +Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: - Any active restart notification are cleared or closed - Any pending restarts are canceled - Any pending update installations are canceled - Any update installation running when pause is activated will attempt to rollback -## Configure when devices receive Windows Insider preview builds +## Configure when devices receive Windows Insider Preview builds Starting with Windows 10, version 1709, you can set policies to manage preview builds and their delivery: The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* * MDM: **Update/ManagePreviewBuilds** +* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy** >[!IMPORTANT] >This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: @@ -212,18 +200,18 @@ The policy settings to **Select when Feature Updates are received** allows you t ## Exclude drivers from Quality Updates -In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. +Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete. -**Exclude driver policies** +**Policy settings to exclude drivers** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | -## Summary: MDM and Group Policy for version 1703 +## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later -Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above. +The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later. **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** @@ -252,25 +240,14 @@ Below are quick-reference tables of the supported Windows Update for Business po ## Update devices to newer versions -Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. +Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. ### How older version policies are respected on newer versions -When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. +When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. -### Comparing the version 1511 keys to the version 1607 keys -In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other. - -
    TopicDescription
    [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
    [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
    [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
    [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
    [Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
    - -
    Group Policy keys
    Version 1511 GPO keysVersion 1607 GPO keys
    **DeferUpgrade**: *enable/disable*
    Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

    **DeferUpgradePeriod**: *0 - 8 months*

    **DeferUpdatePeriod**: *1 – 4 weeks*

    **Pause**: *enable/disable*
    Enabling will pause both upgrades and updates for a max of 35 days
    		**DeferFeatureUpdates**: *enable/disable*

    **BranchReadinessLevel**
    Set device on CB or CBB

    **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

    **PauseFeatureUpdates**: *enable/disable*
    Enabling will pause Feature updates for a max of 60 days

    **DeferQualityUpdates**: *Enable/disable*

    **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

    **PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

    **ExcludeWUDrivers**: *enable/disable*
    - - - -
    MDM keys
    Version 1511 MDM keysVersion 1607 MDM keys
    **RequireDeferUpgade**: *bool*
    Puts the device on CBB (no ability to defer updates while on the CB branch).

    **DeferUpgradePeriod**: *0 - 8 months*

    **DeferUpdatePeriod**: *1 – 4 weeks*

    **PauseDeferrals**: *bool*
    Enabling will pause both upgrades and updates for a max of 35 days
    		**BranchReadinessLevel**
    Set system on CB or CBB

    **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

    **PauseFeatureUpdates**: *enable/disable*
    Enabling will pause Feature updates for a max of 60 days

    **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

    **PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

    **ExcludeWUDriversInQualityUpdate**: *enable/disable*
    - -### Comparing the version 1607 keys to the version 1703 keys +### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703 | Version 1607 key | Version 1703 key | | --- | --- | @@ -294,4 +271,4 @@ In the Windows Update for Business policies in version 1511, all the deferral ru - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.txt b/windows/deployment/update/waas-delivery-optimization-reference.txt deleted file mode 100644 index 993295784a..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-reference.txt +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: Delivery Optimization reference -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -keywords: oms, operations management suite, wdav, updates, downloads, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: JaimeO -ms.localizationpriority: medium -ms.author: jaimeo -ms.date: 10/23/2018 ---- - -# Delivery Optimization reference - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. - diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md deleted file mode 100644 index edb097e05a..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Set up Delivery Optimization -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -keywords: oms, operations management suite, wdav, updates, downloads, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: JaimeO -ms.localizationpriority: medium -ms.author: jaimeo -ms.date: 10/23/2018 ---- - -# Set up Delivery Optimization for Windows 10 updates - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -## Plan to use Delivery Optimization - -general guidelines + “recommended policies” chart - - -## Implement Delivery Optimization -[procedural-type material; go here, click this] - -### Peer[?] topology (steps for setting up Group download mode) - - -### Hub and spoke topology (steps for setting up peer selection) - - -## Monitor Delivery Optimization -how to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? - -### Monitor w/ PS - -### Monitor w/ Update Compliance - diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index c43a9b860b..f82f1afa73 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization for Windows 10 updates (Windows 10) +title: Configure Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 @@ -8,10 +8,10 @@ ms.sitesec: library author: JaimeO ms.localizationpriority: medium ms.author: jaimeo -ms.date: 10/23/2018 +ms.date: 04/30/2018 --- -# Delivery Optimization for Windows 10 updates +# Configure Delivery Optimization for Windows 10 updates **Applies to** @@ -20,14 +20,15 @@ ms.date: 10/23/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Delivery Optimization reduces the bandwidth needed to download Windows updates and applications by sharing the work of downloading these packages among multiple devices in your deployment. It does this by using a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled. -You can use Delivery Optimization in conjunction with standalone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled). +Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -To take advantage of Delivery Optimization, you'll need the following: -- The devices being updated must have access to the internet. -- The devices must be running at least these minimum versions: +>[!NOTE] +>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. + +The following table lists the minimum Windows 10 version that supports Delivery Optimization: | Device type | Minimum Windows version | |------------------|---------------| @@ -36,11 +37,10 @@ To take advantage of Delivery Optimization, you'll need the following: | IoT devices | 1803 | | HoloLens devices | 1803 | - In Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. These options are detailed in [Download mode](#download-mode). ->[!NOTE] ->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +For more details, see [Download mode](#download-mode). ## Delivery Optimization options diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index bab0085402..ba0843abc3 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -7,7 +7,6 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 --- # Deploy updates using Windows Update for Business @@ -17,15 +16,14 @@ ms.date: 06/01/2018 - Windows 10 - Windows 10 Mobile +- Windows Server 2016 +- Windows Server 2019 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products. -> ->In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. + +Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. Specifically, Windows Update for Business allows for: @@ -35,7 +33,7 @@ Specifically, Windows Update for Business allows for: - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution. - Control over diagnostic data level to provide reporting and insights in Windows Analytics. -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education. +Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions. >[!NOTE] >See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. @@ -48,79 +46,70 @@ Windows Update for Business provides three types of updates to Windows 10 device - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. -Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. +Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released). -| Category | Maximum deferral | Deferral increments | Example | Classification GUID | +| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID | | --- | --- | --- | --- | --- | -| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days
    In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 | -| Quality Updates | 30 days | Days | Security updates
    Drivers (optional)
    Non-security updates
    Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441
    EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    varies | +| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.
    From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 | +| Quality Updates | 30 days | Days | Security updates
    Drivers (optional)
    Non-security updates
    Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441

    EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0

    CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83

    varies | | Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B | >[!NOTE] >For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx). -## Changes to Windows Update for Business in Windows 10, version 1709 +## Windows Update for Business in various Windows 10 versions -The group policy path for Windows Update for Business was changed to correctly reflect its association to Windows Update for Business. +Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions. -| Prior to Windows 10, version 1709 | Windows 10, version 1709 | -| --- | --- | -| Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | -We have added the ability to manage Windows Insider preview builds and their delivery: +| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 | +| --- | --- | --- | --- | --- | --- | +| Defer quality updates
    Defer feature updates
    Pause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates**
    **Ability to set separate deadlines for feature vs. quality updates**
    **Admins can prevent users from pausing updates** +## Managing Windows Update for Business with Group Policy -The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -* MDM: **Update/ManagePreviewBuilds** +The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709. ->[!IMPORTANT] ->This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: ->* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds** ->* MDM: **System/AllowBuildPreview** +| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | +| --- | --- | --- | +| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | +| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* | +| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received
    (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) | -The policy settings to **Select when Feature Updates are received** is now called **Select when Preview Builds and Feature Updates are received**. In addition to previous functionality, it now allows you to choose between preview flight rings, and allows you to defer or pause their delivery. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: **Update/BranchReadinessLevel** +## Managing Windows Update for Business with MDM -## Changes to Windows Update for Business in Windows 10, version 1703 +Starting with Windows 10, version 1709, the Windows Update for Business settings in MDM were changed to correctly reflect the associations with Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709. -### Options added to Settings +| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | +| --- | --- | --- | +| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds | +| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) | -We have added a few controls into settings to allow users to control Windows Update for Business through an interface. -- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options** -- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options** +## Managing Windows Update for Business with Software Center Configuration Manager -### Adjusted time periods +Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager. -We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively. +| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 | +| --- | --- | --- | +| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager | -We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously. +## Managing Windows Update for Business with Windows Settings options +Windows Settings includes options to control certain Windows Update for Business features: -### Additional changes +- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options** +- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options -The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys). +## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases -## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. +### Pause and deferral periods ->[!NOTE] ->For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels). +The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days. - - - - - - - - - - - -
    CapabilityWindows 10, version 1511Windows 10, version 1607

    Select servicing options: CB or CBB

    Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

    Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

    Quality Updates

    Able to defer receiving Quality Updates:

    • Up to 4 weeks
    • In weekly increments

    Able to defer receiving Quality Updates:

    • Up to 30 days
    • In daily increments

    Feature Updates

    Able to defer receiving Feature Updates:

    • Up to 8 months
    • In monthly increments

    Able to defer receiving Feature Updates:

    • Up to 180 days
    • In daily increments

    Pause updates

    • Feature Updates and Quality Updates paused together
    • Maximum of 35 days

    Features and Quality Updates can be paused separately.

    • Feature Updates: maximum 60 days
    • Quality Updates: maximum 35 days

    Drivers

    No driver-specific controls

    Drivers can be selectively excluded from Windows Update for Business.

    +Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details. -## Monitor Windows Updates using Update Compliance + + +## Monitor Windows Updates by using Update Compliance Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md new file mode 100644 index 0000000000..a8a889c72c --- /dev/null +++ b/windows/deployment/update/waas-morenews.md @@ -0,0 +1,19 @@ +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/19/2018 +ms.localizationpriority: high +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + \ No newline at end of file diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 8446553143..70cba0bcec 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -54,7 +54,7 @@ Windows 10 quality update downloads can be large because every package contains >Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md new file mode 100644 index 0000000000..27e3799565 --- /dev/null +++ b/windows/deployment/update/waas-servicing-differences.md @@ -0,0 +1,115 @@ +--- +title: Servicing differences between Windows 10 and older operating systems +description: Learn the differences between servicing Windows 10 and servicing older operating systems. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: KarenSimWindows +ms.localizationpriority: medium +ms.author: karensim +--- +# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems + +>Applies to: Windows 10 + +>**February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** + +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. + +The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). + +>[!NOTE] +>A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc. + +## Infinite fragmentation +Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates. + +As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. + +This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. + +## Windows 10 – Next generation +Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation. + +This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. + +Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update. + + +![High level cumulative update model](images/servicing-cadence.png) +*Figure 1.0 - High level cumulative update model* + +Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each. + +This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10. + +### Points to consider + +- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new. +- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.) +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model. +- For Windows 10, available update types vary by publishing channel: + - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates. + - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this example for Windows 10, version 1709) For more information on Servicing Stack Updates, please see this blog. + - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date. +- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). + +## Windows 7 and legacy OS versions +While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. + +Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems. + +The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. + +![Legacy OS security-only update model](images/security-only-update.png) +*Figure 2.0 - Legacy OS security-only update model* + +Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. + +### Points to consider +- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. +- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.) +- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed. +- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended. +- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed. +- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback. +- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup. +- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated. +- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. + +## Public preview releases +Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program. + +### Examples +Windows 10 version 1709: +- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot. +- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required. +- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot. +All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. + +![Preview releases in the Windows 10 LCU model](images/servicing-previews.png) +*Figure 3.0 - Preview releases within the Windows 10 LCU model* + +## Previews vs. on-demand releases +In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. + +As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.) + +### Point to consider +- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot. +- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. +- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices. +- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way. + +In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. + +## Resources +- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) +- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) +- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783) +- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) +- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798) +- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) +- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) +- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 643e549073..49a13d74fc 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar: In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch. ->[!NOTE] +>[!NOTES] >The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511. +>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version. +>See the following articles for instructions on the ADMX templates in your environment. + +> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) +> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/) + + To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. ## Configure Windows Update for Business in Windows 10 version 1511 diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index bf0ebdf02d..31b15c1429 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/29/2018 ms.localizationpriority: medium --- @@ -202,14 +201,15 @@ Starting with Windows 10, version 1803, the device name is no longer collected b If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: -1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. +1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) 2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* - **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic. + + **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). 3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. 4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 2a37f7db2f..384738b8fa 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -5,14 +5,13 @@ keywords: Device Health, oms, Azure, portal, operations management suite, add, m ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 10/05/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.localizationpriority: medium --- -# Windows Analytics in the Azure portal +# Windows Analytics in the Azure Portal Windows Analytics uses Azure Log Analytics (formerly known as Operations Management Suite or OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. @@ -65,4 +64,4 @@ From there, select the settings page to adjust specific settings: [![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) >[!NOTE] ->To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. +>To access these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 1ceeae0987..11b2b08514 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -1,20 +1,19 @@ --- title: Enrolling devices in Windows Analytics (Windows 10) description: Enroll devices to enable use of Update Compliance, Upgrade Readiness, and Device Health in Windows Analytics. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, azure portal ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 11/01/2018 ms.localizationpriority: medium --- # Enrolling devices in Windows Analytics -If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Microsoft Operations Management Suite. +If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Azure Portal. - [Get started with Device Health](device-health-get-started.md) - [Get started with Update Compliance](update-compliance-get-started.md) @@ -26,17 +25,20 @@ If you've already done that, you're ready to enroll your devices in Windows Anal ## Copy your Commercial ID key -Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers. +Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace. This should be generated for you automatically. Copy your commercial ID key from any of the Windows Analytics solutions you have added to your Windows Portal, and then deploy it to user computers. + +To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: + +[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) + +From there, select the settings page, where you can find and copy your commercial ID: + +[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) -1. On the **Settings** dashboard, navigate to the **Windows Telemetry** panel under **Connected Sources** . - ![Operations Management Suite Settings dialog showing Connected sources and Windows telemetry selected and the commercial ID location marked by a black box in the lower right.](images/WA-device-enrollment.png) - -2. Copy your Commercial ID (which should already be populated). Save this Commercial ID because you will need it later for use in the deployment scripts and policies. - - >**Important**
    Regenerate a Commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again. +>**Important**
    Regenerate a Commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again. ## Enable data sharing @@ -45,20 +47,20 @@ To enable data sharing, configure your proxy server to whitelist the following e | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| -|`https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices runningrunning Windows 10, version 1703 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | +|`https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices running Windows 10, version 1803 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | | `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 *without* the 2018-09 Cumulative Update installed | | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | | `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | -| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports. | +| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports. | | `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | | `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity | | `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity | @@ -83,10 +85,12 @@ The compatibility update scans your devices and enables application usage tracki | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| -| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cumulative updates. | +| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up to date with cumulative updates. | | Windows 8.1 | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
    Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
    For more information about this update, see | | Windows 7 SP1 | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
    Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
    For more information about this update, see | +We also recommend installing the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup) on Windows 7 and Windows 8.1 devices. + >[!IMPORTANT] >Restart devices after you install the compatibility updates for the first time. @@ -99,13 +103,16 @@ If you are planning to enable IE Site Discovery in Upgrade Readiness, you will n | **Site discovery** | **Update** | |----------------------|-----------------------------------------------------------------------------| -| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](https://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
    Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
    For more information about this update, see

    Install the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | +| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](https://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
    Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
    For more information about this update, see

    Install the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | + +>[!NOTE] +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. ## Set diagnostic data levels -You can set the diagnostic data level used by monitored devices either with the Update Readiness deployment script or by policy (by using Group Policy or Mobile Device Management). +You can set the diagnostic data level used by monitored devices either with the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) or by policy (by using Group Policy or Mobile Device Management). -The basic functionality of Update Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy). +The basic functionality of Upgrade Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy). ## Enroll a few pilot devices diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index 3b7e53eaeb..d150f9e110 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -5,7 +5,6 @@ keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations m ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 03/09/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -14,7 +13,7 @@ ms.localizationpriority: medium # Windows Analytics overview -Windows Analytics is a set of solutions for Microsoft Operations Management Suite (OMS) that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: +Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: ## Device Health @@ -38,7 +37,7 @@ Windows Analytics is a set of solutions for Microsoft Operations Management Suit ## Upgrade Readiness -[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a Service model. +[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a service model. Use Upgrade Readiness to get: @@ -50,4 +49,4 @@ Use Upgrade Readiness to get: - Application usage information, allowing targeted validation; workflow to track validation progress and decisions - Data export to commonly used software deployment tools, including System Center Configuration Manager -To get started with any of these solutions, visit the links for instructions to add it to OMS. \ No newline at end of file +To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 04358b5b05..1ce1363b10 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/02/2018 ms.localizationpriority: high --- @@ -17,7 +16,7 @@ ms.localizationpriority: high Windows Analytics is fully committed to privacy, centering on these tenets: - **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). -- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics - **Security:** Your data is protected with strong security and encryption - **Trust:** Windows Analytics supports the Microsoft Online Service Terms @@ -39,8 +38,11 @@ See these topics for additional background information about related privacy iss - [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file) -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) +- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) +- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) +- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) - [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md new file mode 100644 index 0000000000..25472e32ba --- /dev/null +++ b/windows/deployment/update/windows-as-a-service.md @@ -0,0 +1,139 @@ +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 01/24/2019 +ms.localizationpriority: high +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Working to make Windows updates clear and transparent** +> [!VIDEO https://www.youtube-nocookie.com/embed/u5P20y39DrA] + +Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues. + +The latest news: + + +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + +**NEW** Classifying Windows updates in common deployment tools + +NEW Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 4c558115d6..638a2ff2e1 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -33,7 +33,7 @@ Advanced users can also refer to the [log](windows-update-logs.md) generated by You might encounter the following scenarios when using Windows Update. ## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following. +The update that is offered to a device depends on several factors. Some of the most common attributes include the following: - OS Build - OS Branch @@ -41,7 +41,7 @@ The update that is offered to a device depends on several factors. Some of the m - OS Architecture - Device update management configuration -If the update you're offered isn't th emost current available, it might be because your device is being managed by a WSUS server, and your'e being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. ## My machine is frozen at scan. Why? The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: @@ -49,7 +49,44 @@ The Settings UI is talking to the Update Orchestrator service which in turn is t 2. Launch Services.msc and check if the following services are running: - Update State Orchestrator - Windows Update - + +## Feature updates are not being offered while other updates are +On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. + +Checking the WindowsUpdate.log reveals the following error: +``` +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 +``` + +The 0x80070426 error code translates to: +``` +ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. +``` + +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. + +In order to solve this issue, we need to reset the MSA service to the default StartType of manual. + ## Issues related to HTTP/Proxy Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. @@ -115,7 +152,7 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can |Output|Interpretation| |-|-| |- Name: Microsoft Update
    -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
    - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | -|- Name: DCat Flighting Prod
    - OffersWindowsUpdates: False|- The update source is the Windows Insider Program.
    - Indicates that the client will not receive or is not configured to receive these updates. | +|- Name: DCat Flighting Prod
    - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
    - Indicates that the client is configured to receive feature updates from Windows Update. | |- Name: Windows Store (DCat Prod)
    - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
    - Indicates that the client will not receive or is not configured to receive these updates.| |- Name: Windows Server Update Service
    - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
    - The client is configured to receive updates from WSUS. | |- Name: Windows Update
    - OffersWindowsUpdates: True|- The source is Windows Update.
    - The client is configured to receive updates from Windows Update Online.| @@ -164,12 +201,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of The following group policies can help mitigate this: -[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) -[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) -[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) Other components that reach out to the internet: -- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) \ No newline at end of file +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index dee55745d3..8b8a90dcf1 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 08/16/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -24,7 +24,7 @@ ms.localizationpriority: medium ## About SetupDiag -Current version of SetupDiag: 1.3.1.0 +Current version of SetupDiag: 1.4.0.0 SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. @@ -42,7 +42,7 @@ To quickly use SetupDiag on your current computer: 8. Use Notepad to open the log file: **SetupDiagResults.log**. 9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below. -For instructions on how to run the tool in offline more and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below. +For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below. The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool. @@ -61,11 +61,14 @@ The [Release notes](#release-notes) section at the bottom of this topic has info | --- | --- | | /? |
    • Displays interactive help
    | | /Output:\ |
    • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
    • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
    | -| /Mode:\ |
    • This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
    • Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
    • Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
    • Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
    • Default: If not specified, SetupDiag will run in Online mode.
    | -| /LogsPath:\ |
    • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
    | +| /LogsPath:\ |
    • This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories.
    | | /ZipLogs:\ |
    • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
    • Default: If not specified, a value of 'true' is used.
    | -| /Verbose |
    • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
    | +| /Verbose |
    • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
    | | /Format:\ |
    • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
    | +| /NoTel |
    • This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
    | + +Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. +- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed. ### Examples: @@ -75,10 +78,10 @@ In the following example, SetupDiag is run with default parameters (online mode, SetupDiag.exe ``` -In the following example, SetupDiag is specified to run in Online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. +In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Online +SetupDiag.exe /Output:C:\SetupDiag\Results.log ``` The following example uses the /Output parameter to save results to a path name that contains a space: @@ -90,7 +93,7 @@ SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log" The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:D:\Temp\Logs\LogSet1 +SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 ``` ## Log files @@ -111,7 +114,7 @@ When Microsoft Windows encounters a condition that compromises safe system opera If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps. To debug a setup related bug check, you must: -- Specify the **/Mode:Offline** and **/LogsPath** parameters. You cannot debug memory dumps in online mode. +- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode. - Gather the setup memory dump file (setupmem.dmp) from the failing system. - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. - Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag. @@ -119,7 +122,7 @@ To debug a setup related bug check, you must: In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag: ``` -SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump +SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump ``` ## Known issues @@ -135,10 +138,10 @@ The following is an example where SetupDiag is run in offline mode. In this exam The output also provides an error code 0xC1900208 - 0x4000C which corresponds to a compatibility issue as documented in the [Upgrade error codes](upgrade-error-codes.md#result-codes) and [Resolution procedures](resolution-procedures.md#modern-setup-errors) topics in this article. ``` -C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:C:\Temp\BobMacNeill +C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:C:\Temp\BobMacNeill -SetupDiag v1.01 -Copyright (c) Microsoft Corporation. All rights reserved +SetupDiag v1.4.0.0 +Copyright (c) Microsoft Corporation. All rights reserved. Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait. Found 4 setupact.logs. @@ -365,16 +368,42 @@ Each rule name and its associated unique rule identifier are listed with a descr 40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2 - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. + - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. 43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 - - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code. 44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. +45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960 + - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation. +46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71 + - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code. +47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E + - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration +48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 + - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code. +49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 + - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. +50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317 + - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. +51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4 + - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. +52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD + - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code. +53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980 + - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code. ## Release notes +12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. + - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! + - The FindDownlevelFailure rule is up to 10x faster. + - New rules have been added to analyze failures upgrading to Windows 10 version 1809. + - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. + - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. + - Some functional and output improvements were made for several rules. + 07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. @@ -480,4 +509,4 @@ Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-cod ## Related topics -[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) \ No newline at end of file +[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index afefc6519e..e363b4d807 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/30/2018 ms.localizationpriority: medium --- @@ -22,7 +21,7 @@ ms.localizationpriority: medium If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. -Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. +Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 80369e62f5..74c4a1b565 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -3,7 +3,6 @@ title: Upgrade Readiness - Additional insights description: Explains additional features of Upgrade Readiness. ms.prod: w10 author: jaimeo -ms.date: 07/02/2018 --- # Upgrade Readiness - Additional insights diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index fd7e2605ab..d0bf1ba221 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -2,8 +2,7 @@ title: Upgrade Readiness architecture (Windows 10) description: Describes Upgrade Readiness architecture. ms.prod: w10 -author: greg-lindsay -ms.date: 04/25/2017 +author: jaimeo --- # Upgrade Readiness architecture @@ -16,7 +15,7 @@ Microsoft analyzes system, application, and driver diagnostic data to help you ![Upgrade Readiness architecture](../images/ur-arch-diagram.png) -After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. +After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. For more information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 15b27923b6..5be4b56f53 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -5,8 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: greg-lindsay -ms.date: 04/19/2017 +author: jaimeo --- # Upgrade Readiness data sharing @@ -42,7 +41,7 @@ In order to set the WinHTTP proxy system-wide on your computers, you need to The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3. -If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog +If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). ### Logged-in user’s Internet connection diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index 3aabb7b13b..96332bb317 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -3,7 +3,6 @@ title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windo description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. ms.prod: w10 author: jaimeo -ms.date: 04/19/2017 --- # Upgrade Readiness - Step 3: Deploy Windows @@ -35,7 +34,7 @@ Select **Export computers** for more details, including computer name, manufactu ## Computer groups -Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). +Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 76e0198780..ec7d59b862 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -6,7 +6,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo -ms.date: 10/29/2018 --- # Upgrade Readiness deployment script @@ -46,7 +45,7 @@ To run the Upgrade Readiness deployment script: 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics - 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry. + 2. Input your commercial ID key. To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID: 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options: @@ -83,232 +82,72 @@ To run the Upgrade Readiness deployment script: The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Exit code and meaningSuggested fix
    0 - SuccessN/A
    1 - Unexpected error occurred while executiEng the script. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
    2 - Error when logging to console. $logMode = 0.
    (console only)    		Try changing the $logMode value to **1** and try again.
    $logMode value 1 logs to both console and file.
    3 - Error when logging to console and file. $logMode = 1.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
    4 - Error when logging to file. $logMode = 2.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
    5 - Error when logging to console and file. $logMode = unknown.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
    6 - The commercialID parameter is set to unknown.
    Modify the runConfig.bat file to set the CommercialID value.    		The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. -
    See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
    8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection** -
    Verify that the context under which the script in running has access to the registry key.
    9 - The script failed to write Commercial Id to registry. -
    Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection** -     		Verify that the context under which the script in running has access to the registry key.
    10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**Verify that the deployment script is running in a context that has access to the registry key.
    11 - Function **SetupCommercialId** failed with an unexpected exception.The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**
    Verify that the configuration script has access to this location.
    12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings.**Http Get** on the end points did not return a success exit code.
    - For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
    - For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. -
    If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) -
    13 - Can’t connect to Microsoft - setting. An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. -14
    14 - Can’t connect to Microsoft - compatexchange.An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md).
    15 - Function CheckVortexConnectivity failed with an unexpected exception.This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.
    16 - The computer requires a reboot before running the script.A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
    17 - Function **CheckRebootRequired** failed with an unexpected exception.A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
    18 - Appraiser KBs not installed or **appraiser.dll** not found.Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
    19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
    20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT -\CurrentVersion\AppCompatFlags\Appraiser** The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
    21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.Check the logs for the exception message and HResult.
    22 - **RunAppraiser** failed with unexpected exception.Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
    23 - Error finding system variable **%WINDIR%**.Verify that this environment variable is configured on the computer.
    24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
    25 - The function **SetIEDataOptIn** failed with unexpected exception.Check the logs for the exception message and HResult.
    27 - The script is not running under **System** account.The Upgrade Readiness configuration script must be run as **System**.
    28 - Could not create log file at the specified **logPath**. Make sure the deployment script has access to the location specified in the **logPath** parameter.
    29 - Connectivity check failed for proxy authentication. Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. -
    The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. -
    For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). -
    For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).
    30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. -
    For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). -
    For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
    31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
    32 - Appraiser version on the machine is outdated. The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.
    33 - **CompatTelRunner.exe** exited with an exit code **CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.
    34 - Function **CheckProxySettings** failed with an unexpected exception. Check the logs for the exception message and HResult.>
    35 - Function **CheckAuthProxy** failed with an unexpected exception.Check the logs for the exception message and HResult.
    36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.Check the logs for the exception message and HResult.
    37 - **Diagnose_internal.cmd** failed with an unexpected exception.Check the logs for the exception message and HResult.
    38 - Function **Get-SqmID** failed with an unexpected exception. Check the logs for the exception message and HResult.
    39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection** - or **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
    40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. Check the logs for the exception message and HResult.
    41 - The script failed to impersonate the currently logged on user. The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
    42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. Check the logs for the exception message and HResult.
    43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.Check the logs for the exception message and HResult.
    44 - Diagtrack.dll version is old, so Auth Proxy will not work.Update the PC using Windows Update/Windows Server Update Services.
    45 - Diagrack.dll was not found.Update the PC using Windows Update/Windows Server Update Services.
    48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
    50 - Diagtrack Service is not running.Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service.
    51 - RunCensus failed with an unexpected exception.RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details.
    52 - DeviceCensus.exe not found on a Windows 10 machine.On computers running Windows 10, the process devicecensus.exe should be present in the \system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location.
    53 - There is a different CommercialID present at the GPO path:  **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**. This will take precedence over the CommercialID provided in the script.Provide the correct CommercialID at the GPO location.
    -
    +| Exit code | Suggested fix | +|-----------|--------------| +| 0 - Success | N/A | +| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. | +| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. | +| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. | +| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. | +| 9 - The script failed to write Commercial Id to registry. +Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. | +| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. | +| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. | +| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) | +| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. | +| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). | +| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. | +| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. | +| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. | +|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. | +| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. | +| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. | +| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. | +| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. | +| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. | +| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. | +| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. | +| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. | +| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). | +| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). | +| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. | +| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. | +| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. | +| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. | +| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). | +| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. | +| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. | +| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. | +| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercial ID from your workspace. To find your commercial ID, first navigate to the Solutions tab for your workspace in Azure Portal, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID.| +| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. | +| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. The most common cause is incorrect setup of diagnostic data. Check the ExceptionHResult and ExceptionMessage for more details. | +| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. | +| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. | +| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). | +| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. | +| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.| +| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. | +| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. | +| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. | +| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. | +| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. | +| 63 - Diagnostic data is disabled for the device | If AllowTelemetry == 0, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | + + + + + >[!NOTE] diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 35d32c83e9..af94500571 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/10/2018 ms.localizationpriority: medium --- @@ -30,7 +29,7 @@ Before you begin, consider reviewing the following helpful information:
    When you are ready to begin using Upgrade Readiness, perform the following steps: 1. Review [data collection and privacy](#data-collection-and-privacy) information. -2. [Add Upgrade Readiness to OMS](#add-upgrade-readiness-to-operations-management-suite). +2. [Add the Upgrade Readiness solution to your Azure subsctiption](#add-the-upgrade-readiness-solution-to-your-Azure-subscription). 3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). 4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled. diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md index 92dbe3590b..b089d65f7b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md +++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md @@ -2,8 +2,7 @@ title: Upgrade Readiness - Identify important apps (Windows 10) description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. ms.prod: w10 -author: greg-lindsay -ms.date: 04/19/2017 +author: jaimeo --- # Upgrade Readiness - Step 1: Identify important apps diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md index be3d2aee32..e1e0bb0a7d 100644 --- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -6,7 +6,6 @@ ms.localizationpriority: medium ms.prod: w10 author: jaimeo ms.author: jaimeo -ms.date: 11/07/2018 --- # Upgrade Readiness - Step 4: Monitor diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 03b001c31f..e7f6a76085 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -4,8 +4,7 @@ description: Provides requirements for Upgrade Readiness. keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 author: jaimeo -ms.author: -ms.date: 06/12/2018 +ms.author: jaimeo ms.localizationpriority: medium --- @@ -38,14 +37,14 @@ While Upgrade Readiness can be used to assist with updating devices from Windows ## Operations Management Suite or Azure Log Analytics -Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +Upgrade Readiness is offered as a solution in Azure Portal and Azure Log Analytics, a collection of cloud-based services for managing on premises and cloud computing environments. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. +If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. -If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. +If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. >[!IMPORTANT] ->You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. +>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. ## System Center Configuration Manager integration @@ -59,13 +58,13 @@ Before you get started configuring Upgrade Anatlyics, review the following tips **Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. -**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. Upgrade Readiness is supported in all OMS regions; however, selecting an international OMS region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. +**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in Azure Portal. Upgrade Readiness is supported in all Azure regions; however, selecting an international Azure region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. ### Tips - When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. -- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). +- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in Azure Portal, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). ## Get started diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 3f049881af..3c73b1ceb3 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -5,7 +5,6 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re ms.prod: w10 author: jaimeo ms.author: jaimeo -ms.date: 08/31/2017 ms.localizationpriority: medium --- diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md index a44c405280..591cc06de3 100644 --- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -3,7 +3,6 @@ title: Upgrade Readiness - Targeting a new operating system version description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor ms.prod: w10 author: jaimeo -ms.date: 05/31/2018 --- # Targeting a new operating system version diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index d33af45a70..d3560f85ac 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -2,8 +2,7 @@ title: Upgrade Readiness - Upgrade Overview (Windows 10) description: Displays the total count of computers sharing data and upgraded. ms.prod: w10 -author: greg-lindsay -ms.date: 08/15/2017 +author: jaimeo --- # Upgrade Readiness - Upgrade overview diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index bef52aab7a..1954507487 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -22,7 +22,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi ## Proof-of-concept environment -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ![figure 1](../images/upgrademdt-fig1-machines.png) @@ -48,7 +48,7 @@ For full details and an explanation of the task sequence steps, review the full ## Create a device collection -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0003 machine running Windows 7 SP1, with the Configuration Manager client installed. +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. 1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General @@ -65,13 +65,13 @@ After you create the upgrade task sequence, you can create a collection to test - Attribute Name: Name - - Value: PC0003 + - Value: PC0001 - Select Resources - - Select PC0003 + - Select PC0001 -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0003 machine in the collection. +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. ## Deploy the Windows 10 upgrade @@ -94,9 +94,9 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Upda ## Start the Windows 10 upgrade -In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1). +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). -1. On PC0003, start the **Software Center**. +1. On PC0001, start the **Software Center**. 2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. @@ -143,7 +143,7 @@ Figure 3. The Configuration Manager upgrade task sequence. ### Create a device collection -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0003 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. 1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General @@ -160,13 +160,13 @@ After you create the upgrade task sequence, you can create a collection to test - Attribute Name: Name - - Value: PC0003 + - Value: PC0001 - Select Resources - - Select PC0003 + - Select PC0001 -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0003 machine in the collection. +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. ### Deploy the Windows 10 upgrade @@ -187,9 +187,9 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Upda ### Start the Windows 10 upgrade -In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1). +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). -1. On PC0003, start the **Software Center**. +1. On PC0001, start the **Software Center**. 2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 596c5c9540..d6cdab7ce2 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -66,7 +66,7 @@ Figure 2. The imported Windows 10 operating system after you rename it. - Task sequence ID: W10-X64-UPG - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM RTM Default Image + - Select OS: Windows 10 Enterprise x64 RTM Default Image - Specify Product Key: Do not specify a product key at this time - Full Name: Contoso - Organization: Contoso @@ -103,4 +103,4 @@ After the task sequence completes, the computer will be fully upgraded to Window [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) -  \ No newline at end of file +  diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index e9b94e674c..fc3d890534 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -8,7 +8,6 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 10/25/2018 --- # Windows 10 edition upgrade @@ -59,7 +58,6 @@ X = unsupported
    | **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (1703 - PC)
    (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | | **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | | **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise LTSC > Enterprise** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | | **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | > [!NOTE] diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index c4d8887279..91d6394973 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.localizationpriority: medium ms.pagetype: mobile author: greg-lindsay -ms.date: 07/06/2018 --- # Windows 10 upgrade paths @@ -24,7 +23,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can >**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. ->In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. +>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index c62c65555b..ebb0b5998f 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -52,7 +52,7 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). ## Key Management Service in Windows Server 2012 R2 -Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. +Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. **Note**   You cannot install a client KMS key into the KMS in Windows Server. diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index e64be6f39d..80c66dec36 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -7,18 +7,29 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay -ms.date: 04/19/2017 +ms.date: 12/07/2018 --- -# Active Directory-Based Activation Overview +# Active Directory-Based Activation overview Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. -## Active Directory-Based Activation Scenarios +## ADBA scenarios -VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following: -- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name. -- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. +You might use ADBA if you only want to activate domain joined devices. + +If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. + +ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. + +Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. + + +## ADBA methods + +VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: +- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. +- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. ## Related topics diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 7942cf6e89..73593356e4 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -ms.date: 05/23/2018 author: greg-lindsay --- @@ -64,6 +63,9 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & - Azure Active Directory (Azure AD) available for identity management. - Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported. + >[!NOTE] + >An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal. + For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index a127409535..2c2a9c2a25 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -7,34 +7,75 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 08/30/2018 -author: Mikeblodge +author: jaimeo --- -# Switch to Windows 10 Pro/Enterprise from S mode +# Switch to Windows 10 Pro or Enterprise from S mode -We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store. +We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. + +A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: + + + + +| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | | +|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------| +| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) | +| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home | Not by any method | Not by any method | Not by any method | +| | | | | | +| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home in S mode | Not by any method | Home | Not by this method | +| | Home | Not by any method | Not by any method | Not by any method | +| | | | | | +| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home in S mode | Not by any method | Home | Home | +| | Home | Not by any method | Not by any method | Not by any method | + + +Use the following information to switch to Windows 10 Pro through the Microsoft Store. > [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. + +## Switch one device through the Microsoft Store +Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. + +Note these differences affecting switching modes in various releases of Windows 10: + +- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. +- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. +- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. -## How to switch -If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time. 1. Sign into the Microsoft Store using your Microsoft account. -2. Search for "S mode" -3. In the offer, click **Buy**, **Get**, OR **Learn more.** +2. Search for "S mode". +3. In the offer, select **Buy**, **Get**, or **Learn more.** + You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. -## Keep Line of Business apps functioning with Desktop Bridge -Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels. +## Switch one or more devices by using Microsoft Intune -[Explore Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) +Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. -## Repackage win32 apps into the MSIX format -The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store. +1. Start Microsoft Intune. +2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. +3. Follow the instructions to complete the switch. + + +## Block users from switching + +You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. +To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. + +## S mode management with CSPs + +In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode). -[Explore MSIX app Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool) ## Related topics diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 315115e706..32da345a29 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -1,13 +1,15 @@ # [Windows Autopilot](windows-autopilot.md) ## [Requirements](windows-autopilot-requirements.md) ### [Configuration requirements](windows-autopilot-requirements-configuration.md) +#### [Intune Connector (preview)](intune-connector.md) ### [Network requirements](windows-autopilot-requirements-network.md) ### [Licensing requirements](windows-autopilot-requirements-licensing.md) ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) +#### [Azure Active Directory joined](user-driven-aad.md) +#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md) ### [Self-deploying mode](self-deploying.md) -### [Enrollment status page](enrollment-status.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md) #### [Remote reset](windows-autopilot-reset-remote.md) #### [Local reset](windows-autopilot-reset-local.md) @@ -15,11 +17,14 @@ ### [Configuring](configure-autopilot.md) #### [Adding devices](add-devices.md) #### [Creating profiles](profiles.md) +#### [Enrollment status page](enrollment-status.md) +#### [BitLocker encryption](bitlocker.md) ### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) ## Getting started ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md) +## [Customer consent](registration-auth.md) ## [Troubleshooting](troubleshooting.md) ## [FAQ](autopilot-faq.md) -## [Support](autopilot-support.md) \ No newline at end of file +## [Support](autopilot-support.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 1bc77cb9db..db20123f7a 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Adding devices to Windows Autopilot @@ -20,6 +19,20 @@ ms.date: 10/02/2018 Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. +## Manual registration + +To perform manual registration of a device, you must caputure its hardware ID (also known as a hardware hash) and upload this to the Windows Autopilot deployment service. See the topics below for detailed information on how to collect and upload hardware IDs. + +>[!IMPORTANT] +>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
    +>After Intune reports the profile ready to go, only then should the device be connected to the Internet. + +Also note that if OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries: + +**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE** + +To ensure OOBE has not been restarted too many times, you can change this value to 1. + ## Device identification To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. @@ -32,28 +45,26 @@ Note that the hardware hash also contains details about when it was generated, s The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). -To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used: +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: -*md c:\\HWID* +```powershell +md c:\\HWID +Set-Location c:\\HWID +Set-ExecutionPolicy Unrestricted +Install-Script -Name Get-WindowsAutoPilotInfo +Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv +``` -*Set-Location c:\\HWID* - -*Set-ExecutionPolicy Unrestricted* - -*Install-Script -Name Get-WindowsAutoPilotInfo* - -*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv* - -You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information. +The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. >[!NOTE] ->With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe). +>If you will connect to the device remotely to collect the hardware ID, see the information at the top of this page about device connectivity to the Internet. ## Collecting the hardware ID from existing devices using System Center Configuration Manager Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. -## Uploading hardware IDs +## Registering devices Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism: diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 46286ceb3f..850f631e72 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 11/05/2018 --- # Windows Autopilot FAQ @@ -25,8 +24,9 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | Question | Answer | | --- | --- | -| In the Partner Center, does the Tenant ID need to be provided with every device file upload (to then allow the business customer to access their devices in MSfB)? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | +| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | | How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. | +| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | | Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | | Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| | How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

    Go [here](https://msdn.microsoft.com/partner-center/createuseraccounts-and-set-permissions) for more information. | @@ -69,7 +69,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | Question | Answer | | --- | --- | -| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

    To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

    **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| +| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

    To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

    **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| ## SMBIOS diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md new file mode 100644 index 0000000000..ae47150794 --- /dev/null +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -0,0 +1,45 @@ +--- +title: Setting the BitLocker encryption algorithm for Autopilot devices +description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. +keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +author: greg-lindsay +ms.author: greg-lindsay +--- + +# Setting the BitLocker encryption algorithm for Autopilot devices + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. + +The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. + +To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +An example of Microsoft Intune Windows Encryption settings is shown below. + + ![BitLocker encryption settings](images/bitlocker-encryption.png) + +Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. + +The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. + +Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. + +## Requirements + +Windows 10, version 1809 or later. + +## See also + +[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md index 7444e0b565..2a35ccf721 100644 --- a/windows/deployment/windows-autopilot/configure-autopilot.md +++ b/windows/deployment/windows-autopilot/configure-autopilot.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Configure Autopilot deployment @@ -26,7 +25,10 @@ When deploying new devices using Windows Autopilot, a common set of steps are re 2. [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented. -3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience. +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. +## Related topics + +[Windows Autopilot scenarios](windows-autopilot-scenarios.md) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 6a8c2d3e3d..f47603c201 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Demonstrate Autopilot deployment on a VM diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index b3432a245a..01a31ebad9 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -10,7 +10,6 @@ ms.pagetype: deploy ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 11/01/2018 --- # Windows Autopilot Enrollment Status page @@ -33,6 +32,7 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
    Oh no! Something didn't do what it was supposed to. Please contact your IT department. Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
    If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cabThe Collect logs button is not displayed if there is an installation error. +Block device use until these required apps are installed if they are assigned to the user/deviceChoose All or Selected.

    If Selected is chosen, a Select apps button is displayed that enables you to choose which apps must be installed prior to enabling device use. See the following example: @@ -48,13 +48,18 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). - Certain device configuration policies. -Presently the following types of policies are not tracked: +The following types of policies and installations are not tracked: -- Intune Management Extensions PowerShell scripts. -- Office 365 ProPlus installations. -- System Center Configuration Manager apps, packages, and task sequences. +- Intune Management Extensions PowerShell scripts +- Office 365 ProPlus installations** +- System Center Configuration Manager apps, packages, and task sequences -## For more information +**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
    -For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status). For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). +## More information +For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
    +For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
    +For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png new file mode 100644 index 0000000000..96e2d94fb3 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png differ diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png new file mode 100644 index 0000000000..2d8abb5785 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/connector-fail.png differ diff --git a/windows/deployment/windows-autopilot/images/csp1.png b/windows/deployment/windows-autopilot/images/csp1.png new file mode 100644 index 0000000000..81e59080c8 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp1.png differ diff --git a/windows/deployment/windows-autopilot/images/csp2.png b/windows/deployment/windows-autopilot/images/csp2.png new file mode 100644 index 0000000000..cf095b831c Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp2.png differ diff --git a/windows/deployment/windows-autopilot/images/csp3.png b/windows/deployment/windows-autopilot/images/csp3.png new file mode 100644 index 0000000000..8b0647e4b4 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp3.png differ diff --git a/windows/deployment/windows-autopilot/images/csp4.png b/windows/deployment/windows-autopilot/images/csp4.png new file mode 100644 index 0000000000..608128e5ab Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp4.png differ diff --git a/windows/deployment/windows-autopilot/images/csp5.png b/windows/deployment/windows-autopilot/images/csp5.png new file mode 100644 index 0000000000..f43097c62b Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp5.png differ diff --git a/windows/deployment/windows-autopilot/images/csp6.png b/windows/deployment/windows-autopilot/images/csp6.png new file mode 100644 index 0000000000..8b0647e4b4 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp6.png differ diff --git a/windows/deployment/windows-autopilot/images/csp7.png b/windows/deployment/windows-autopilot/images/csp7.png new file mode 100644 index 0000000000..608128e5ab Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp7.png differ diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png index 0153ba58f9..df0fe655e9 100644 Binary files a/windows/deployment/windows-autopilot/images/esp-settings.png and b/windows/deployment/windows-autopilot/images/esp-settings.png differ diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md new file mode 100644 index 0000000000..50ee521951 --- /dev/null +++ b/windows/deployment/windows-autopilot/intune-connector.md @@ -0,0 +1,52 @@ +--- +title: Intune Connector (preview) requirements +description: Intune Connector (preview) issue workaround +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/26/2018 +--- + + +# Intune Connector (preview) language requirements + +**Applies to: Windows 10** + +Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot. + +In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message: + +**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.** + +An [example](#example) of the error message is displayed at the bottom of this topic. + +This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout: + +| | | | | | | | | | | | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP | +| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW | + +>[!NOTE] +>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.
    +>This solution is a workaround and will be fully resolved in a future release of the Intune Connector. + +To change the default keyboard layout: + +1. Click **Settings > Time & language > Region and language** +2. Select one of the languages listed above and choose **Set as default**. + +If the language you need isn't listed, you can add additional languages by selecting **Add a language**. + +## Example + +The following is an example of the error message that can be displayed if one of the listed languages is not used during setup: + +![Connector error](images/connector-fail.png) + + diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 26e9395e49..32455a34ad 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Configure Autopilot profiles @@ -18,7 +17,29 @@ ms.date: 10/02/2018 - Windows 10 -For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available: +For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). + +## Profile download + +When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. + +When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. + +| Windows 10 version | Profile download behavior | +| --- | --- | +| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | +| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | +| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | + +If you need to reboot a computer during OOBE: +- Press Shift-F10 to open a command prompt. +- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). + +## Profile settings + +The following profile settings are available: - **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. @@ -33,3 +54,7 @@ For each device that has been defined to the Windows Autopilot deployment servic - **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. - **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md new file mode 100644 index 0000000000..5a5dcf695d --- /dev/null +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -0,0 +1,76 @@ +--- +title: Windows Autopilot customer consent +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, csp, OEM +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +--- + +# Windows Autopilot customer consent + +**Applies to: Windows 10** + +This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf. + +## CSP authorization + +CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions: + + +
    Direct CSPGets direct authorization from the customer to register devices. +
    Indirect CSP ProviderGets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. +
    Indirect CSP ResellerGets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. +
    + +### Steps + +For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process: + +1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so: + - CSP logs into Microsoft Partner Center + - Click **Dashboard** on the top menu + - Click **Customer** on the side menu + - Click the **Request a reseller relationship** link: + ![Request a reseller relationship](images/csp1.png) + - Select the checkbox indicating whether or not you want delegated admin rights: + ![Delegated rights](images/csp2.png) + - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges + - Send the template above to the customer via email. +2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: + + ![Global admin](images/csp3.png) + + NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + + ![Not global admin](images/csp4.png) + +3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously. +4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example: + +![Customers](images/csp5.png) + +## OEM authorization + +Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com. + +1. OEM emails link to their customer. +2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page: + + ![Global admin](images/csp6.png) + + NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + + ![Not global admin](images/csp7.png) +3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. + +4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. + +## Summary + +At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. + diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md new file mode 100644 index 0000000000..b75fced878 --- /dev/null +++ b/windows/deployment/windows-autopilot/rip-and-replace.md @@ -0,0 +1,19 @@ +--- +title: Rip and Replace +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Rip and replace + +**Applies to: Windows 10** + +DO NOT PUBLISH. Just a placeholder for now, coming with 1809. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index b4e8171fa3..68138d4b86 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -10,51 +10,42 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Windows Autopilot Self-Deploying mode (Preview) -**Applies to: Windows 10, build 17672 or later** +**Applies to: Windows 10, version 1809 or later** -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. ->[!NOTE] ->In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. +Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). -![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) - ->[!NOTE] ->While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process – no user authentication or user interaction will be required. - -Self-deploying mode can register the device into an organization’s Azure Active Directory tenant, enroll the device in the organization’s mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned). +Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned. >[!NOTE] >Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. -Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. +Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. -Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. - -Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices you’d like to validate. +![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) + +## Requirements + +Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.) + +>[!NOTE] +>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.) + +In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. ## Step by step In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: - Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using self-deploying mode, these additional steps are needed: - -- Ensure that the device supports TPM 2.0 and device attestation. (Note that virtual machines are not supported.) -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device. +- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete. ## Validation @@ -73,4 +64,4 @@ When performing a self-deploying mode deployment using Windows Autopilot, the fo - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. \ No newline at end of file +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 8d39c2b0a0..8a248dbf27 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Troubleshooting Windows Autopilot diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 6da9e99b33..50dd79e58e 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -1,19 +1,34 @@ ---- -title: User-driven mode for AAD -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/02/2018 ---- - -# Windows Autopilot user-driven mode for Azure Active Directory - -**Applies to: Windows 10** - -PLACEHOLDER. This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md. +--- +title: User-driven mode for AAD +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +--- + +# Windows Autopilot user-driven mode for Azure Active Directory join + +**Applies to: Windows 10** + +## Procedures + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 6f4a760dcc..895992424d 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -9,12 +9,31 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- -# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join +# Windows Autopilot user-driven mode for hybrid Azure Active Directory join **Applies to: Windows 10** -PLACEHOLDER. This topic is a placeholder for the AD-specific (hybrid) instuctions. +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +## Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +## Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 1aa1ad5321..efe36198a5 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -8,11 +8,12 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 ms.author: greg-lindsay -ms.date: 10/02/2018 --- +# Windows Autopilot user-driven mode + Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - Unbox the device, plug it in, and turn it on. @@ -24,21 +25,12 @@ After completing those simple steps, the remainder of the process is completely Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -## Step by step +## Available user-driven modes -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: +The following options are available for user-driven deployment: -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. ## Validation diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md deleted file mode 100644 index 6b988faa67..0000000000 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Overview of Windows Autopilot -description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/02/2018 ---- - -# Overview of Windows Autopilot - -**Applies to** - -- Windows 10 - -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
    -This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -The following video shows the process of setting up Autopilot: - -
    - - -## Benefits of Windows Autopilot - -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach. - -From the users' perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. - -## Windows Autopilot Scenarios - -### Cloud-Driven - -The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. - -#### The Windows Autopilot Deployment Program experience - -The Windows Autopilot Deployment Program enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -##### Prerequisites - ->[!NOTE] ->Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -* [Devices must be registered to the organization](#device-registration-and-oobe-customization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
    - - -#### Device registration and OOBE customization - -To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. - -Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*starting with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -##### Configure MDM auto-enrollment in Microsoft Intune - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -#### Network connectivity requirements - -The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - - -### Self-Deploying - -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). - - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. - diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md index d71d8e0a81..ed91b71732 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Windows Autopilot configuration requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index 2b9a7d76f8..f88d935d8c 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -9,29 +9,23 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 -ms.author: greg-lindsay -ms.date: 10/02/2018 --- + # Windows Autopilot licensing requirements **Applies to: Windows 10** Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: -- Windows 10 version 1703 or higher must be used. Supported editions are the following: - - Pro - - Pro Education - - Pro for Workstations - - Enterprise - - Education -- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality: - - Microsoft 365 Business subscriptions - - Microsoft 365 F1 subscriptions - - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) - - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features - - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service) +- To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: + - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) + - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) + - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) + - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) + - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features + - [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features + - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service) -Additionally, the following are also recommended but not required: -- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services) +Additionally, the following are also recommended (but not required): +- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services) - [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md index 5474e7fb94..ff491c2f9d 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Windows Autopilot networking requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 3b1ede0e05..ae16b100af 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -9,15 +9,32 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Windows Autopilot requirements **Applies to: Windows 10** -Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met: +Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. -- [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met. -- [Networking requirements](windows-autopilot-requirements-network.md) need to be met. -- [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed. \ No newline at end of file +- Windows 10 version 1703 (semi-annual channel) or higher is required. +- The following editions are supported: + - Pro + - Pro Education + - Pro for Workstations + - Enterprise + - Education + +- Windows 10 Enterprise 2019 LTSC is also supported. + +See the following topics for details on licensing, network, and configuration requirements: +- [Licensing requirements](windows-autopilot-requirements-licensing.md) +- [Networking requirements](windows-autopilot-requirements-network.md) +- [Configuration requirements](windows-autopilot-requirements-configuration.md) + - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. + +There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index c97d79add8..59ee22ba1a 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -10,7 +10,6 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Reset devices with local Windows Autopilot Reset diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md index 1f7cca216f..991d7dd424 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -10,7 +10,6 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Reset devices with remote Windows Autopilot Reset (Preview) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index 9e83d32bbb..05d45ae57a 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -10,7 +10,6 @@ ms.pagetype: ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Windows Autopilot Reset diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index 9db8678ee2..e59b199a77 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Windows Autopilot scenarios @@ -20,7 +19,11 @@ Windows Autopilot includes support for a growing list of scenarios, designed to For details about these scenarios, see these additional topics: -- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. -- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. -- [Windows Autopilot Reset](windows-autopilot-reset.md), +- [Windows Autopilot for existing devices](existing-devices.md), to deploy Windows 10 on an existing Windows 7 or 8.1 device. +- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. +- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. +- [Windows Autopilot Reset](windows-autopilot-reset.md), to re-deploy a device in a business-ready state. +## Related topics + +[Windows Autopilot Enrollment Status page](enrollment-status.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 37f8070dad..e9043c8a72 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -1,20 +1,24 @@ --- title: Overview of Windows Autopilot description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 --- # Overview of Windows Autopilot -**Applies to: Windows 10** +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.
    +This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. @@ -24,3 +28,46 @@ When initially deploying new Windows devices, Windows Autopilot leverages the OE Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + +
    + + + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported: +- Pro +- Pro Education +- Pro for Workstations +- Enterprise +- Education + +See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on configuration, network, and licensing requirements. + +## Windows Autopilot Scenarios + +Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user. + +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. + +See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for more information about scenarios for using Windows Autopilot. + +## Related topics + +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot) diff --git a/windows/docfx.json b/windows/docfx.json index f1253f1567..9ac35033eb 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md index 6a6cc2230e..1883594880 100644 --- a/windows/hub/TOC.md +++ b/windows/hub/TOC.md @@ -1,5 +1,6 @@ # [Windows 10 and Windows 10 Mobile](index.md) ## [What's new](/windows/whats-new) +## [Release information](release-information.md) ## [Deployment](/windows/deployment) ## [Configuration](/windows/configuration) ## [Client management](/windows/client-management) diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 781df2941e..8ef6442201 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif", "**/*.pdf" ], @@ -38,7 +39,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "brianlic", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/hub/index.md b/windows/hub/index.md index 16c86b4a0f..dac41359d2 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -71,7 +71,7 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - [Read more about Windows as a Service](/windows/deployment/update/waas-overview) -- [Read how much space does Windows 10 take](https://www.microsoft.com/en-us/windows/windows-10-specifications) + ## Related topics [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009) diff --git a/windows/hub/release-information.md b/windows/hub/release-information.md new file mode 100644 index 0000000000..89d0606cfe --- /dev/null +++ b/windows/hub/release-information.md @@ -0,0 +1,37 @@ +--- +title: Windows 10 - release information +description: Learn release information for Windows 10 releases +keywords: ["Windows 10", "Windows 10 October 2018 Update"] +ms.prod: w10 +layout: LandingPage +ms.topic: landing-page +ms.mktglfcycl: deploy +ms.sitesec: library +author: lizap +ms.author: elizapo +ms.localizationpriority: high +--- +# Windows 10 - Release information + +>[!IMPORTANT] +> The URL for the release information page has changed - update your bookmark! + +Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)). + +If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. + +If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC. + +**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, you’ll be taken to the latest cumulative update (build 17763.134 or higher). + +November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809. + +For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). + +
    +
    + + +
    + + diff --git a/windows/known-issues/TOC.yml b/windows/known-issues/TOC.yml new file mode 100644 index 0000000000..b5ef71ac32 --- /dev/null +++ b/windows/known-issues/TOC.yml @@ -0,0 +1,2 @@ +- name: Index + href: index.md \ No newline at end of file diff --git a/windows/known-issues/breadcrumb/toc.yml b/windows/known-issues/breadcrumb/toc.yml new file mode 100644 index 0000000000..61d8fca61e --- /dev/null +++ b/windows/known-issues/breadcrumb/toc.yml @@ -0,0 +1,3 @@ +- name: Docs + tocHref: / + topicHref: / \ No newline at end of file diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json new file mode 100644 index 0000000000..a11af85d90 --- /dev/null +++ b/windows/known-issues/docfx.json @@ -0,0 +1,47 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/windows/known-issues/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "known-issues", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/known-issues/index.md b/windows/known-issues/index.md new file mode 100644 index 0000000000..929011c38d --- /dev/null +++ b/windows/known-issues/index.md @@ -0,0 +1 @@ +# Welcome to known-issues! \ No newline at end of file diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md new file mode 100644 index 0000000000..014cf520b8 --- /dev/null +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -0,0 +1,184 @@ +--- +title: Diagnostic Data Viewer for PowerShell Overview (Windows 10) +description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device. +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.author: brianlic +ms.date: 01/17/2018 +--- + +# Diagnostic Data Viewer for PowerShell Overview + +**Applies to** + +- Windows 10, version 1809 +- Windows 10, version 1803 +- Windows Server, version 1803 +- Windows Server 2019 + +## Introduction +The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. + +## Requirements + +You must have administrative privilege on the device in order to use this PowerShell module. This module requires OS version 1803 and higher. + +## Install and Use the Diagnostic Data Viewer for PowerShell + +You must install the module before you can use the Diagnostic Data Viewer for PowerShell. + +### Opening an Elevated PowerShell session + +Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. +- Go to **Start** > **Windows PowerShell** > **Run as administrator** +- Go to **Start** > **Command prompt** > **Run as administrator**, and run the command `C:\> powershell.exe` + +### Install the Diagnostic Data Viewer for PowerShell + + >[!IMPORTANT] + >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + +To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: +```powershell +PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer +``` + +To see more information about the module, visit [PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer). + +### Turn on data viewing +Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a local history of your device's diagnostic data for you to view until you turn it off. + +Note that this setting does not control whether your device sends diagnostic data. Instead, it controls whether your Windows device saves a local copy of the diagnostic data sent for your viewing. + +**To turn on data viewing through the Settings page** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn on data viewing](images/ddv-data-viewing.png) + +**To turn on data viewing through PowerShell** + +Run the following command within an elevated PowerShell session: + +```powershell +PS C:\> Enable-DiagnosticDataViewing +``` + +Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to Microsoft from this point on. + + >[!IMPORTANT] + >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. + + +### Getting Started with Diagnostic Data Viewer for PowerShell +To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: + +```powershell +PS C:\> Get-Help Get-DiagnosticData +``` + +**To Start Viewing Diagnostic Data** + +From an elevated PowerShell session, run the following command: + +```powershell +PS C:\> Get-DiagnosticData +``` + +If the number of events is large, and you'd like to stop the command, enter `Ctrl+C`. + + >[!IMPORTANT] + >The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try again. + +### Doing more with the Diagnostic Data Viewer for PowerShell +The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's diagnostic data. You can also use the extensive suite of other PowerShell tools with this module. + +- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. + + Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. + +- **View Diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data). + + To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command: + + ```powershell + PS C:\> Get-DiagnosticDataTypes + ``` + +- **Filter events by when they were sent.** You can view events within specified time ranges by specifying a start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6 hours ago, run the following command. Note that data is shown in order of oldest first. + ```powershell + PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6) + ``` + +- **Export the results of each command.** You can export the results of each command to a separate file such as a csv by using pipe `|`. For example, + + ```powershell + PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv' + ``` + +## Turn off data viewing +When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears the existing history of diagnostic data from your device. + +**To turn off data viewing through the Settings page** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn off data viewing](images/ddv-settings-off.png) + +**To turn off data viewing through PowerShell** + +Within an elevated PowerShell session, run the following command: + +```powershell +PS C:\> Disable-DiagnosticDataViewing +``` + +## Modifying the size of your data history +By default, the tool will show you up to 1GB or 30 days of data (whichever comes first). Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. + +**Modify the size of your data history** + + >[!IMPORTANT] + >Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. + + >[!IMPORTANT] + >If you modify the maximum data history size from a larger value to a lower value, you must turn off data viewing and turn it back on in order to reclaim disk space. + +You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2048MB (2GB), you can run the following command. + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Size 2048 +``` + +You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data history time to 24 hours, you can run the following command. + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Time 24 +``` + + >[!IMPORTANT] + >You may need to restart your machine for the new settings to take effect. + + >[!IMPORTANT] + >If you have the [Diagnostic Data Viewer](diagnostic-data-viewer-overview.md) store app installed on the same device, modifications to the size of your data history through the PowerShell module will also be reflected in the app. + +**Reset the size of your data history** + +To reset the maximum data history size back to its original 1GB default value, run the following command in an elevated PowerShell session: + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720 +``` + +When resetting the size of your data history to a lower value, be sure to turn off data viewing and turn it back on in order to reclaim disk space. + +## Related Links +- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) +- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps) \ No newline at end of file diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index a229e2df1a..35561d07af 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,9 +1,11 @@ # [Privacy](index.yml) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md) +## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) -## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +## Diagnostic Data Viewer +### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) ## Basic level Windows diagnostic data events and fields ### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) ### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -14,7 +16,11 @@ ## Full level categories ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +## Manage Windows 10 connection endpoints +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ada643a31a..79ef8ac888 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/27/2018 --- @@ -20,7 +20,7 @@ ms.date: 11/07/2018 - Windows 10, version 1703 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -61,15 +61,15 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device. -- **InventorySystemBios** The total InventorySystemBios objects that are present on this device. -- **PCFP** An ID for the system that is calculated by hashing hardware identifiers. -- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device. -- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device. -- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device. -- **SystemWim** The total SystemWim objects that are present on this device -- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device. -- **SystemWlan** The total SystemWlan objects that are present on this device. +- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows +- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows +- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows +- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows +- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows +- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows +- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows +- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows +- **SystemWlan** The count of InventoryApplicationFile objects present on this machine. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. @@ -1757,8 +1757,106 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Content Delivery Manager events + +### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent + +This event sends tracking data about the reliability of interactions with Windows spotlight content, to help keep Windows up to date. + +The following fields are available: + +- **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. +- **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. +- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. +- **placementId** Name of surface, such as LockScreen or Start. + + +### Microsoft.Windows.ContentDeliveryManager.ReportPlacementHealth + +This event sends aggregated client health data, summarizing information about the state of offers on a device, to help keep Windows up to date. + +The following fields are available: + +- **dataVersion** Schema version of the event that is used to determine what serialized content is available for placementReportedInfo and trackingInfo fields. +- **healthResult** A code that identifies user account health status as Unknown, Healthy, Unhealthy. +- **healthStateFlags** A code that represents a set of flags used to group devices in a health/unhealthy way. For example, Unhealthy, Healthy, RefreshNotScheduled, EmptyResponse, RenderedDefault, RenderFailure, RenderDelayed, and CacheEmpty. +- **placementHealthId** A code that represents which surface's health is being reported. For example, Default, LockScreen, LockScreenOverlay, StartMenu, SoftLanding, DefaultStartLayout1, DefaultStartLayout2, OemPreInstalledApps, FeatureManagement, SilentInstalledApps, NotificationChannel, SuggestedPenAppsSubscribedContent, TestAppSubscribedContent, OneDriveSyncNamespaceSubscribedContent, OneDriveLocalNamespaceSubscribedContent, OneDriveSyncNamespaceInternalSubscribedContent, and OneDriveLocalNamespaceInternalSubscribedContent. +- **placementReportedInfo** Serialized information that contains domain-specific health information written by each surface, such as lastUpportunityTime, lastOpportunityReportedTime, expectedExpirationTime, and rotationPeriod. +- **trackingInfo** Serialized information that contains domain-specific health information written by the content delivery manager, such as lastRefreshTime, nextRefreshTime, nextUpdateTime,renderPriorToLastOpportunityTime, lastRenderTime, lastImpressionTime, lastRulesRegistrationTime, registrationTime, lastRefreshBatchCount, lastEligibleCreativeCount, availableAppSlotCount, placeholderAppSlotCount, lastRenderSuccess, lastRenderDefault, isEnabled. + + +### Microsoft.Windows.ContentDeliveryManager.ReportPlacementState + +This event sends data about the opt-out state of a device or user that uses Windows spotlight, to help keep Windows up to date. + +The following fields are available: + +- **isEnabled** Indicates if the surface is enable to receive offers. +- **lastImpressionTime** The time when the last offer was seen. +- **lastRenderedCreativeId** ID of the last offer rendered by the surface. +- **lastRenderedTime** The time that the last offer was rendered. +- **nextRotationTime** The time in which the next offer will be rendered. +- **placementName** Name of surface, such as LockScreen or Start. +- **placementStateReportFlags** Flags that represent if the surface is capable of receiving offers, such as off by edition, off by Group Policy, off by user choice. +- **selectedPlacementId** ID of the surface/ring/markey combination, such as Lock-Internal-en-US. + + ## Diagnostic data events +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. + +The following fields are available: + +- **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. +- **CrashDumpEnabled** Indicates whether crash dumps are enabled. +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. +- **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. +- **FirmwareResetReasonPch** Hardware-supplied reason for the reset. +- **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. +- **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **LastBugCheckBootId** The Boot ID of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown. +- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). +- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). +- **PowerButtonLastPressBootId** The Boot ID of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastPressTime** The date and time the Power Button was most recently pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). +- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **TransitionInfoBootId** The Boot ID of the captured transition information. +- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). +- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). +- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). +- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. +- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. +- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. + + ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -1856,6 +1954,24 @@ The following fields are available: - **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex. +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + + + +### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate + +This event is triggered when UTC determines it needs to send information about personalization settings of the user. + + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -2571,6 +2687,31 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +### Microsoft.Windows.Kernel.Power.OSStateChange + +This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to help monitor reliability and performance of managed devices. + +The following fields are available: + +- **AcPowerOnline** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power. +- **ActualTransitions** This will give the actual transitions number +- **BatteryCapacity** Maximum battery capacity in mWh +- **BatteryCharge** Current battery charge as a percentage of total capacity +- **BatteryDischarging** Flag indicating whether the battery is discharging or charging +- **BootId** Monotonically increasing boot id, reset on upgrades. +- **BootTimeUTC** Boot time in UTC  file time. +- **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. +- **LastStateTransition** The previous state transition on the device. +- **LastStateTransitionSub** The previous state subtransition on the device. +- **StateDurationMS** Milliseconds spent in the state being departed +- **StateTransition** Transition type PowerOn=1, Shutdown, Suspend, Resume, Heartbeat. +- **StateTransitionSub** Subtransition type Normal=1, Reboot, Hiberboot, Standby, Hibernate, ConnectedStandby, Reserved, HybridSleep. +- **TotalDurationMS** Total time device has been up in milliseconds in wall clock time. +- **TotalUptimeMS** Total time device has been on (not in a suspended state) in milliseconds. +- **TransitionsToOn** TransitionsToOn increments each time the system successfully completes a system sleep event, and is sent as part of the PowerTransitionEnd ETW event. +- **UptimeDeltaMS** Duration in last state in milliseconds. + + ## OneDrive events ### Microsoft.OneDrive.Sync.Setup.APIOperation @@ -2627,43 +2768,6 @@ The following fields are available: - **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. -### Microsoft.OneDrive.Sync.Setup.SetupCommonData - -This event contains basic OneDrive configuration data that helps to diagnose failures. - -The following fields are available: - -- **AppVersion** The version of the app. -- **BuildArchitecture** Is the architecture x86 or x64? -- **Environment** Is the device on the production or int service? -- **MachineGuid** The CEIP machine ID. -- **Market** Which market is this in? -- **MSFTInternal** Is this an internal Microsoft device? -- **OfficeVersionString** The version of Office that is installed. -- **OSDeviceName** Only if the device is internal to Microsoft, the device name. -- **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** The CEIP user ID. - - -### Microsoft.OneDrive.Sync.Updater.CommonData - -This event contains basic OneDrive configuration data that helps to diagnose failures. - -The following fields are available: - -- **AppVersion** The version of the app. -- **BuildArch** Is the architecture x86 or x64? -- **Environment** Is the device on the production or int service? -- **IsMSFTInternal** TRUE if the device is an internal Microsoft device. -- **MachineGuid** The GUID (Globally Unique ID) that identifies the machine for the CEIP (Customer Experience Improvement Program). -- **Market** Which market is this in? -- **OfficeVersion** The version of Office that is installed. -- **OneDriveDeviceId** The OneDrive device ID. -- **OSDeviceName** Only if the device is internal to Microsoft, the device name. -- **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** The GUID (Globally Unique ID) of the user currently logged in. - - ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState This event includes basic data about the installation state of dependent OneDrive components. @@ -2750,43 +2854,6 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - ## Remediation events ### Microsoft.Windows.Remediation.Applicable @@ -2940,8 +3007,8 @@ The following fields are available: - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. - **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. @@ -3859,7 +3926,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3895,7 +3962,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update -- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store. +- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -3966,7 +4033,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4009,6 +4076,30 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state + + ### SoftwareUpdateClientTelemetry.Install This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. @@ -4073,7 +4164,7 @@ The following fields are available: - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4117,7 +4208,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4138,7 +4229,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -4543,9 +4634,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4735,14 +4826,64 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Windows Store events +### WerTraceloggingProvider.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. + +The following fields are available: + +- **AppName** The name of the app that crashed. +- **AppSessionGuid** The unique ID used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date time stamp of the app. +- **AppVersion** The version of the app that crashed. +- **ExceptionCode** The exception code returned by the process that crashed. +- **ExceptionOffset** The address where the exception occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, do not terminate the process after reporting. +- **ModName** The module name of the process that crashed. +- **ModTimeStamp** The date time stamp of the module. +- **ModVersion** The module version of the process that crashed. +- **PackageFullName** The package name if the crashing application is packaged. +- **PackageRelativeAppId** The relative application ID if the crashing application is packaged. +- **ProcessArchitecture** The architecture of the system. +- **ProcessCreateTime** The time of creation of the process that crashed. +- **ProcessId** The ID of the process that crashed. +- **ReportId** A unique ID used to identify the report. This can be used to track the report. +- **TargetAppId** The target app ID. +- **TargetAppVer** The target app version. + + +## Windows Phone events + +### Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason + +This event lists the reboot reason when an app is going to reboot. + +The following fields are available: + +- **BootId** The boot ID. +- **BoottimeSinceLastShutdown** The boot time since the last shutdown. +- **RebootReason** Reason for the reboot. + + +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -4766,7 +4907,7 @@ The following fields are available: - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** Licensing identity of this package. +- **WUContentId** The Windows Update content ID. ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds @@ -5522,7 +5663,7 @@ The following fields are available: - **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. -- **updateId** Unique Update ID. +- **updateId** Unique Windows Update ID. - **updateScenarioType** Update session type. - **UpdateStatus** Last status of update. - **wuDeviceid** Unique Device ID. @@ -5717,6 +5858,19 @@ The following fields are available: - **wuDeviceid** The ID of the device in which the error occurred. +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **errorCode** result showing success or failure of current update +- **revisionNumber** Unique revision number of the Update +- **updateId** Unique ID for Update +- **updateState** Progress within an update state +- **wuDeviceid** Unique ID for Device + + ### Microsoft.Windows.Update.Orchestrator.UsoSession This event represents the state of the USO service at start and completion. @@ -5845,4 +5999,41 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index e6b7d5cbc6..63376e03ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -20,7 +20,7 @@ ms.date: 11/07/2018 - Windows 10, version 1709 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -70,16 +70,16 @@ The following fields are available: - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. +- **PCFP** An ID for the system, calculated by hashing hardware identifiers. +- **SystemMemory** The count of SystemMemory objects present on this machine. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The count of the number of this particular object type present on this device. -- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device. -- **SystemProcessorSse2** The count of the number of this particular object type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The count of the number of this particular object type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The count of SystemProcessorNx objects present on this machine. +- **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. +- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. +- **SystemTouch** The count of SystemTouch objects present on this machine. +- **SystemWim** The count of SystemWim objects present on this machine. +- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. @@ -1858,6 +1858,57 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Component-based Servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + ## Diagnostic data events ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition @@ -1868,7 +1919,13 @@ This event sends data indicating that a device has undergone a change of telemet ### TelClientSynthetic.AuthorizationInfo_Startup -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. +Fired by UTC at startup to signal what data we are allowed to collect. + + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. @@ -1906,6 +1963,12 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate + +This event is triggered when UTC determines it needs to send information about personalization settings of the user. + + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -2305,12 +2368,12 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device setup class guid of the driver loaded for the device. -- **COMPID** The list of compat ids for the device. -- **ContainerId** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **Description** The device description. -- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present +- **Class** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **ClassGuid** A unique identifier for the driver installed. +- **COMPID** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). +- **ContainerId** INF file name (the name could be renamed by OS, such as oemXX.inf) +- **Description** The version of the inventory binary generating the events. +- **DeviceState** The current error code for the device. - **DriverId** A unique identifier for the driver installed. - **DriverName** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. @@ -2481,22 +2544,22 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AddinCLSID** The CLSID for the Office addin -- **AddInCLSID** The CLSID for the Add-in -- **AddInId** Add-In identifier +- **AddInCLSID** CLSID key for the office addin +- **AddInId** Office addin ID - **AddinType** The type of the Office addin. - **BinFileTimestamp** Timestamp of the Office addin - **BinFileVersion** Version of the Office addin -- **Description** Add-in description +- **Description** Office addin description - **FileId** FileId of the Office addin - **FileSize** File size of the Office addin -- **FriendlyName** Add-in friendly name -- **FullPath** Full path to the add-in module -- **LoadBehavior** The load behavior -- **LoadTime** The load time for the add-in -- **OfficeApplication** The Microsoft Office application associated with the add-in +- **FriendlyName** Friendly name for office addin +- **FullPath** Unexpanded path to the office addin +- **LoadBehavior** Uint32 that describes the load behavior +- **LoadTime** Load time for the office add in +- **OfficeApplication** The office application for this add in - **OfficeArchitecture** Architecture of the addin -- **OfficeVersion** The Microsoft Office version installed -- **OutlookCrashingAddin** Whether the Outlook addin is crashing +- **OfficeVersion** The office version for this add in +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add in - **ProductCompany** The name of the company associated with the Office addin - **ProductName** The product name associated with the Office addin - **ProductVersion** The version associated with the Office addin @@ -2928,78 +2991,6 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **highestState** The highest final install state of the optional content. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### Microsoft.Windows.WaaSAssessment.Error - -This event returns the name of the missing setting needed to determine the Operating System build age. - -The following fields are available: - -- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - - - ## Remediation events ### Microsoft.Windows.Remediation.Applicable @@ -3194,8 +3185,8 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -3651,7 +3642,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3668,7 +3659,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **RebootRequired** Indicates if a reboot was required to complete the action. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3683,7 +3674,7 @@ The following fields are available: - **CachedEngineVersion** The engine DLL version that is being used. - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3699,7 +3690,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **Service** The service that is being stopped/started. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StateChange** The service operation (stop/start) is being attempted. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3717,7 +3708,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3793,7 +3784,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3812,7 +3803,7 @@ Download process event for target update on Windows Update client (see eventscen The following fields are available: -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. - **BiosFamily** The family of the BIOS (Basic Input Output System). @@ -3821,11 +3812,11 @@ The following fields are available: - **BiosSKUNumber** The sku number of the device BIOS. - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. - **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle). +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. @@ -3844,7 +3835,7 @@ The following fields are available: - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific id of the flight (pre-release build) the device is getting. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. @@ -3860,10 +3851,10 @@ The following fields are available: - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3929,7 +3920,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SuspendCount** Number of times this active download has entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state @@ -3950,14 +3941,14 @@ The following fields are available: - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install? - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **ClientVersion** The version number of the software distribution client. - **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeviceModel** The device model. +- **CurrentMobileOperator** Mobile operator that device is currently connected to. +- **DeviceModel** What is the device model. - **DriverPingBack** Contains information about the previous driver and system state. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. @@ -3973,23 +3964,23 @@ The following fields are available: - **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update? +- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process? +- **IsFirmware** Is this update a firmware update? +- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart? - **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device? - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MergedUpdate** Was the OS update and a BSP update merged for installation? - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. - **PackageFullName** The package name of the content being installed. - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Are quality OS updates paused on the device? - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -3997,8 +3988,8 @@ The following fields are available: - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. +- **TransactionCode** The ID which represents a given MSI installation +- **UpdateId** Unique update ID - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. @@ -4016,7 +4007,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4037,7 +4028,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -4528,7 +4519,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4539,7 +4530,7 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data - **key21** UI interaction data - **key22** UI interaction data @@ -4550,12 +4541,12 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI -- **key5** UI interaction type -- **key6** Current package version of UNP -- **key7** UI interaction type +- **key4** UI interaction data +- **key5** UI interaction data +- **key6** UI interaction data +- **key7** UI interaction data - **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. @@ -4708,9 +4699,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** Windows Update client ID. @@ -4882,6 +4873,15 @@ The following fields are available: ## Windows as a Service diagnostic events +### Microsoft.Windows.WaaSAssessment.Error + +This event returns the name of the missing setting needed to determine the Operating System build age. + +The following fields are available: + +- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. + + ### Microsoft.Windows.WaaSMedic.Summary This event provides the results of the WaaSMedic diagnostic run @@ -4941,14 +4941,25 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -5193,7 +5204,7 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare -This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. The following fields are available: @@ -5207,9 +5218,9 @@ FulfillmentComplete event is fired at the end of an app install or update. We us The following fields are available: - **FailedRetry** Tells us if the retry for an install or update was successful or not. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. +- **HResult** Resulting HResult error/success code of this call +- **PFN** Package Family Name of the app that being installed or updated +- **ProductId** Product Id of the app that is being updated or installed ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate @@ -5324,6 +5335,144 @@ The following fields are available: ## Windows Update Delivery Optimization events +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **callerName** Name of the API caller. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **clientTelId** A random number used for device sampling. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **reasonCode** Reason the action or event occurred. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **callerName** Name of the API caller. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **clientTelId** A random number used for device sampling. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **restrictedUpload** Is the upload restricted? +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **callerName** The name of the API caller. +- **clientTelId** A random number used for device sampling. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **reasonCode** The reason for pausing the download. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **callerName** Name of the API caller. +- **cdnUrl** The URL of the source CDN. +- **clientTelId** A random number used for device sampling. +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. +- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. +- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. +- **peerID** The ID for this delivery optimization client. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID for the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -5347,6 +5496,20 @@ The following fields are available: - **sessionID** The ID of the download session. +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **clientTelId** A random number used for device sampling. +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -5416,14 +5579,14 @@ This event collects information regarding the install phase of the new device ma The following fields are available: -- **errorCode** The error code returned for the current install phase. -- **flightId** Unique ID for each flight. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **updateId** Unique ID for each Update. +- **errorCode** The error code returned for the current install phase +- **flightId** The unique identifier for each flight +- **objectId** Unique value for each Update Agent mode +- **relatedCV** Correlation vector value generated from the latest scan +- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** Unique value for each Update Agent mode attempt +- **updateId** Unique ID for each update ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart @@ -5432,13 +5595,13 @@ This event sends data for the start of each mode during the process of updating The following fields are available: -- **flightId** Unique ID for each flight. -- **mode** The mode that is starting. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **updateId** Unique ID for each Update. +- **flightId** The unique identifier for each flight +- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **objectId** Unique value for each Update Agent mode +- **relatedCV** Correlation vector value generated from the latest scan +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** Unique value for each Update Agent mode attempt +- **updateId** Unique ID for each update ### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed @@ -5518,15 +5681,15 @@ This event indicates that a scan for a Windows Update occurred. The following fields are available: - **deferReason** Reason why the device could not check for updates. -- **detectionBlockreason** Reason for blocking detection +- **detectionBlockreason** Reason for detection not completing. - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** Error value -- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **errorCode** The returned error code. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. - **revisionNumber** Update revision number. - **updateId** Update ID. -- **updateScenarioType** The update session type. +- **updateScenarioType** Device ID - **wuDeviceid** Unique device ID used by Windows Update. @@ -5657,6 +5820,23 @@ The following fields are available: - **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). +### Microsoft.Windows.Update.Orchestrator.PostInstall + +This event is sent after a Windows update install completes. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **bundleId** Identifier associated with the specific content bundle. +- **bundleRevisionnumber** Identifies the revision number of the content bundle. +- **errorCode** The error code returned for the current phase. +- **eventScenario** State of update action. +- **flightID** Update session type +- **sessionType** The Windows Update session type (Interactive or Background). +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart This event is generated before the shutdown and commit operations. @@ -5736,6 +5916,21 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed This event sends information about an update that encountered problems and was not able to complete. @@ -5856,7 +6051,7 @@ The following fields are available: - **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. - **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. - **rebootState** Current state of the reboot. -- **revisionNumber** Revision number of the update that is getting installed with this reboot. +- **revisionNumber** Revision number of the OS. - **scheduledRebootTime** Time scheduled for the reboot. - **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. - **updateId** Identifies which update is being scheduled. @@ -5932,4 +6127,18 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 945ae68322..c8a8b09e66 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -20,7 +20,7 @@ ms.date: 11/07/2018 - Windows 10, version 1803 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -48,34 +48,51 @@ The following fields are available: - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. @@ -96,6 +113,7 @@ The following fields are available: - **SystemWlan** The count of SystemWlan objects present on this machine. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -353,6 +371,7 @@ The following fields are available: - **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. - **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. - **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. - **HardBlock** This file is blocked in the SDB. - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? @@ -408,6 +427,7 @@ The following fields are available: - **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? - **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? @@ -449,6 +469,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? @@ -527,6 +548,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -638,6 +660,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. - **HasBiosBlock** Does the device have a BIOS block? @@ -686,6 +709,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. - **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. - **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. - **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. @@ -693,6 +718,8 @@ The following fields are available: - **CompanyName** The company name of the vendor who developed this file. - **FileId** A hash that uniquely identifies a file. - **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. - **LinkDate** The date and time that this file was linked on. - **LowerCaseLongPath** The full file path to the file that was inventoried on the device. - **Name** The name of the file that was inventoried. @@ -1272,6 +1299,8 @@ The following fields are available: - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. - **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. - **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. @@ -1692,6 +1721,7 @@ The following fields are available: - **OSRolledBack** A flag that represents when a feature update has rolled back during setup. - **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . - **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. - **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. @@ -1910,6 +1940,83 @@ The following fields are available: - **ImageName** Name of file. +## Component-based Servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -1980,7 +2087,7 @@ The following fields are available: ## Diagnostic data events -### TelClientSynthetic.AuthorizationInfo_Startup +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -1999,6 +2106,40 @@ The following fields are available: - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartbeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **LastFreeNetworkLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** The network state of the device. +- **NoNetworkTimeSec** The total number of seconds without network during this heartbeat period. +- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -3257,6 +3398,9 @@ Indicates that this particular data object represented by the objectInstanceId i This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync @@ -3344,6 +3488,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **InventoryVersion** The version of the inventory binary generating the events. - **OfficeApplication** The name of the Office application. - **OfficeArchitecture** The bitness of the Office application. - **OfficeVersion** The version of the Office application. @@ -3356,6 +3501,9 @@ Indicates that this particular data object represented by the objectInstanceId i This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync @@ -3364,6 +3512,9 @@ This diagnostic event indicates that a new sync is being generated for this obje This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd @@ -3430,6 +3581,7 @@ The following fields are available: - **DuplicateVBA** Count of files with duplicate VBA code - **HasVBA** Count of files with VBA code - **Inaccessible** Count of files that were inaccessible for scanning +- **InventoryVersion** The version of the inventory binary generating the events. - **Issues** Count of files with issues detected - **Issues_x64** Count of files with 64-bit issues detected - **IssuesNone** Count of files with no issues detected @@ -3481,6 +3633,9 @@ This event indicates that a new sync is being generated for this object type. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync @@ -3735,82 +3890,67 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events +## Privacy consent logging events -### CbsServicingProvider.CbsCapabilityEnumeration +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted -This event reports on the results of scanning for optional Windows content on Windows Update. +This event is used to determine whether the user successfully completed the privacy consent experience. The following fields are available: -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience -### CbsServicingProvider.CbsCapabilitySessionFinalize +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentPrep -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. +This event is used to determine whether the user needs to see the privacy consent experience or not. The following fields are available: -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **highestState** The highest final install state of the optional content. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. +- **s0** Indicates the error level encountered during Privacy Consent Preparation. See [Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity](#microsoftwindowsshellprivacyconsentloggingwilactivity). +- **wilActivity** Information of the thread where the error occurred (thread ID). See [wilActivity](#wilactivity). -### CbsServicingProvider.CbsCapabilitySessionPended +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. +Event tells us effectiveness of new privacy experience. The following fields are available: -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. +- **isAdmin** Whether the current user is an administrator or not +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** Whether the current user has enabled silent elevation +- **privacyConsentState** The current state of the privacy consent experience +- **userRegionCode** The current user's region setting -### CbsServicingProvider.CbsPackageRemoval +### Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. +This event returns information if an error is encountered while computing whether the user needs to complete privacy consents in certain upgrade scenarios. The following fields are available: -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. +- **callContext** A list of Windows Diagnostic activities/events containing this error. +- **currentContextId** The ID for the newest activity/event containing this error. +- **currentContextMessage** Any custom message for the activity context. +- **currentContextName** The name of the newest activity/event context containing this error. +- **failureType** The type of failure observed: exception, returned error, etc. +- **fileName** The name of the fine in which the error was encountered. +- **hresult** The Result Code of the error. +- **lineNumber** The line number where the error was encountered. +- **message** Any message associated with the error. +- **module** The name of the binary module where the error was encountered. +- **originatingContextId** The ID of the oldest telemetry activity containing this error. +- **originatingContextMessage** Any custom message associated with the oldest Windows Diagnostic activity/event containing this error. +- **originatingContextName** The name associated with the oldest Windows Diagnostic activity/event containing this error. +- **threadId** The ID of the thread the activity was run on. +## Remediation events + ### Microsoft.Windows.Remediation.Applicable This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. @@ -3978,6 +4118,7 @@ The following fields are available: - **RemediationHibernationMigrated** TRUE if hibernation was migrated. - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. - **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskFixSuccessId** Indicates whether the Update Assistant task fix was successful. - **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. - **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. - **RemediationRanHibernation** TRUE if the system entered Hibernation. @@ -3999,13 +4140,16 @@ The following fields are available: - **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHardeningExitCode** The exit code returned by Windows Service Repair. +- **ServiceHealthEnabledBitMap** List of services updated by the plugin. +- **ServiceHealthInstalledBitMap** List of services installed by the plugin. - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -4059,153 +4203,7 @@ The following fields are available: - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentLauncher.Applicable - -Indicates whether a given plugin is applicable. - -The following fields are available: - -- **CV** Correlation vector. -- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. -- **IsSelfUpdateNeeded** True if self update needed by device. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentLauncher.Completed - -Indicates whether a given plugin has completed its work. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. -- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. - - -### Microsoft.Windows.SedimentLauncher.Started - -This event indicates that a given plug-in has started. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentService.Applicable - -This event indicates whether a given plug-in is applicable. - -The following fields are available: - -- **CV** Correlation vector. -- **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentService.Completed - -This event indicates whether a given plug-in has completed its work. - -The following fields are available: - -- **CV** Correlation vector. -- **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. -- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. -- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. -- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). -- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. -- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). -- **SedimentServiceStopping** True/False indicating whether the service is stopping. -- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. -- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. - - -### Microsoft.Windows.SedimentService.Started - -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting +- **RunCount** The number of times the remediation event started (whether it completed successfully or not). ## Sediment events @@ -4272,6 +4270,100 @@ The following fields are available: - **Time** System timestamp when the event was started. +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. +- **IsSelfUpdateNeeded** True if self update needed by device. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event indicates that a given plug-in has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Applicable + +This event indicates whether a given plug-in is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Determine whether action needs to run based on device properties. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. +- **IsSelfUpdateNeeded** Indicates if self update is needed. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event indicates whether a given plug-in has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** List of reasons when the plugin action failed. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. +- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. +- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). +- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. +- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). +- **SedimentServiceStopping** True/False indicating whether the service is stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. + + +### Microsoft.Windows.SedimentService.Started + +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. + + ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -4401,7 +4493,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. - **IsExecutingAction** If the action is presently being executed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). @@ -4423,7 +4515,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **WuapiVersion** The Windows Update API version that is currently installed. - **WuaucltVersion** The Windows Update client version that is currently installed. @@ -4503,7 +4595,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4539,7 +4631,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4602,7 +4694,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4723,7 +4815,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4749,7 +4841,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4760,28 +4852,28 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id) +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** Identifies the revision of this specific piece of content -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. -- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob -- **SignatureAlgorithm** Hash algorithm for the metadata signature -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. -- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. -- **UpdateId** Identifier associated with the specific piece of content -- **ValidityWindowInDays** Validity window in effect when verifying the timestamp +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. ## Update events @@ -4832,6 +4924,7 @@ The following fields are available: - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. @@ -5057,7 +5150,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each update. +- **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -5076,7 +5169,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -5087,7 +5180,7 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data - **key21** UI interaction data - **key22** UI interaction data @@ -5098,12 +5191,12 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI -- **key5** UI interaction type -- **key6** Current package version of UNP -- **key7** UI interaction type +- **key4** UI interaction data +- **key5** UI interaction data +- **key6** UI interaction data +- **key7** UI interaction data - **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. @@ -5283,7 +5376,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -5425,6 +5518,7 @@ The following fields are available: - **ReportId** ID for tying together events stream side. - **ResultCode** Result returned by setup for the entire operation. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. - **TargetBranch** Branch of the target OS. - **TargetBuild** Build of the target OS. @@ -5581,7 +5675,18 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Windows Store events +## Microsoft Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation @@ -5606,7 +5711,7 @@ The following fields are available: - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** Licensing identity of this package. +- **WUContentId** The Windows Update content ID. ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds @@ -5757,7 +5862,7 @@ The following fields are available: - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The total number of system attempts. - **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. +- **WUContentId** Licensing identity of this package. ### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates @@ -5827,7 +5932,7 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare -This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. The following fields are available: @@ -5968,7 +6073,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure Error code. +- **hResult** Failure error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -6144,6 +6249,46 @@ The following fields are available: - **sessionID** The ID of the download session. - **updateID** The ID of the update being paused. + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **callerName** Name of the API caller. +- **cdnUrl** The URL of the source CDN +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. +- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. +- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -6153,7 +6298,6 @@ The following fields are available: - **cdnHeaders** The HTTP headers returned by the CDN. - **cdnIp** The IP address of the CDN. - **cdnUrl** The URL of the CDN. -- **clientTelId** A random number used for device sampling. - **errorCode** The error code that was returned. - **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. @@ -6166,6 +6310,21 @@ The following fields are available: - **responseSize** The size of the range response received from the CDN. - **sessionID** The ID of the download session. + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -6175,21 +6334,21 @@ This event collects information regarding the state of devices and drivers on th The following fields are available: - **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** How many driver packages could not be analyzed because errors were hit during the analysis. +- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis. - **flightId** Unique ID for each flight. -- **missingDriverCount** How many driver packages that were delivered by the device manifest are missing from the system. -- **missingUpdateCount** How many updates that were part of the device manifest are missing from the system. +- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system. +- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system. - **objectId** Unique value for each diagnostics session. -- **publishedCount** How many drivers packages that were delivered by the device manifest are published and available to be used on devices. +- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices. - **relatedCV** Correlation vector value generated from the latest USO scan. - **scenarioId** Indicates the update scenario. - **sessionId** Unique value for each update session. -- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on. - **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** How many devices are missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** How many driver packages are missing from the summary string because there is not enough room in the string. +- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string. +- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string. - **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** Unique ID for each update. +- **updateId** Unique ID for each Update. ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -6531,9 +6690,9 @@ The following fields are available: - **deferReason** Reason why the device could not check for updates. - **detectionBlockingPolicy** State of update action. -- **detectionBlockreason** If we retry to scan +- **detectionBlockreason** State of update action - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** State of update action +- **errorCode** Error info - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. @@ -6541,7 +6700,7 @@ The following fields are available: - **revisionNumber** Update revision number. - **scanTriggerSource** Source of the triggered scan. - **updateId** Update ID. -- **updateScenarioType** Update Session type +- **updateScenarioType** Device ID - **wuDeviceid** Device ID @@ -7029,7 +7188,7 @@ The following fields are available: - **scheduledRebootTime** Time scheduled for the reboot. - **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. - **updateId** Identifies which update is being scheduled. -- **wuDeviceid** Unique device ID used by Windows Update. +- **wuDeviceid** Unique DeviceID ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot @@ -7044,8 +7203,8 @@ This event is sent when MUSE broker schedules a task. The following fields are available: -- **TaskArgument** The arguments which the task is scheduled with -- **TaskName** Name of the task +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled @@ -7146,4 +7305,34 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index b83547ea2a..639c8005ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -20,7 +20,7 @@ ms.date: 11/07/2018 - Windows 10, version 1809 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -38,6 +38,34 @@ You can learn more about Windows functional and diagnostic data through these ar +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + ## AppLocker events ### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically @@ -273,115 +301,202 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. - **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. - **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. - **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. - **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. - **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. - **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. - **PCFP** The count of the number of this particular object type present on this device. - **SystemMemory** The count of the number of this particular object type present on this device. @@ -394,11 +509,16 @@ The following fields are available: - **SystemWim** The count of the number of this particular object type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. - **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. - **Wmdrm_TH1** The count of the number of this particular object type present on this device. - **Wmdrm_TH2** The count of the number of this particular object type present on this device. @@ -454,6 +574,7 @@ The following fields are available: - **ActiveNetworkConnection** Indicates whether the device is an active network device. - **AppraiserVersion** The version of the appraiser file generating the events. - **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. - **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. - **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. - **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. @@ -647,6 +768,7 @@ The following fields are available: - **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. - **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. - **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. - **HardBlock** This file is blocked in the SDB. - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? @@ -702,6 +824,7 @@ The following fields are available: - **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? - **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? @@ -743,6 +866,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? @@ -821,6 +945,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -932,6 +1057,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. - **HasBiosBlock** Does the device have a BIOS block? @@ -1196,6 +1322,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. - **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. - **Time** The client time of the event. @@ -1585,6 +1712,7 @@ The following fields are available: - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. - **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. - **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. - **StoreHandleIsNotNull** Obsolete, always set to false - **TelementrySent** Indicates if telemetry was successfully sent. @@ -1741,6 +1869,7 @@ The following fields are available: - **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. - **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. - **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. - **DeviceForm** Indicates the form as per the device classification. - **DeviceName** The device name that is set by the user. - **DigitizerSupport** Is a digitizer supported? @@ -1806,6 +1935,48 @@ The following fields are available: - **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + ### Census.PrivacySettings This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. @@ -1935,8 +2106,11 @@ This event sends data about the current user's default preferences for browser a The following fields are available: +- **CalendarType** The calendar identifiers that are used to specify different calendars. - **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. ### Census.UserDisplay @@ -2266,6 +2440,20 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -2299,6 +2487,7 @@ The following fields are available: - **capabilities** The names of the optional content packages that were installed. - **clientId** The name of the application requesting the optional content. - **currentID** The ID of the current install session. +- **downloadSource** The source of the download. - **highestState** The highest final install state of the optional content. - **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. - **hrStatus** The HReturn code of the install operation. @@ -2479,6 +2668,59 @@ The following fields are available: - **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -2506,6 +2748,8 @@ The following fields are available: - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. - **EventStoreResetCounter** Number of times event DB was reset. - **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. - **EventsUploaded** Number of events uploaded. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. @@ -3149,6 +3393,38 @@ The following fields are available: - **WDDMVersion** The Windows Display Driver Model version. +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Hang Reporting events ### Microsoft.Windows.HangReporting.AppHangEvent @@ -3185,9 +3461,13 @@ This event captures basic checksum data about the device inventory items stored The following fields are available: +- **Device** A count of device objects in cache. - **DeviceCensus** A count of device census objects in cache. - **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. - **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. - **InventoryApplicationDriver** A count of application driver objects in cache @@ -3211,6 +3491,9 @@ The following fields are available: - **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache - **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache - **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. ### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo @@ -3691,27 +3974,30 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AddinCLSID** The CLSID for the Office addin -- **AddInId** Office addin ID -- **AddinType** The type of the Office addin. -- **BinFileTimestamp** Timestamp of the Office addin -- **BinFileVersion** Version of the Office addin -- **Description** Office addin description -- **FileId** FileId of the Office addin -- **FileSize** File size of the Office addin -- **FriendlyName** Friendly name for office addin -- **FullPath** Unexpanded path to the office addin +- **AddinCLSID** The CLSID for the Office add-in. +- **AddInCLSID** CLSID key for the office addin +- **AddInId** Office add-in ID. +- **AddinType** Office add-in Type. +- **BinFileTimestamp** Timestamp of the Office add-in. +- **BinFileVersion** Version of the Office add-in. +- **Description** Office add-in description. +- **FileId** FileId of the Office add-in. +- **FileSize** File size of the Office add-in. +- **FriendlyName** Friendly name for office add-in. +- **FullPath** Unexpanded path to the office add-in. - **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Uint32 that describes the load behavior -- **OfficeApplication** The office application for this addin -- **OfficeArchitecture** Architecture of the addin -- **OfficeVersion** The office version for this addin -- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this addin -- **ProductCompany** The name of the company associated with the Office addin -- **ProductName** The product name associated with the Office addin -- **ProductVersion** The version associated with the Office addin -- **ProgramId** The unique program identifier of the Office addin -- **Provider** Name of the provider for this addin +- **LoadBehavior** Uint32 that describes the load behavior. +- **LoadTime** Load time for the office addin +- **OfficeApplication** The office application for this add-in. +- **OfficeArchitecture** Architecture of the add-in. +- **OfficeVersion** The office version for this add-in. +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Office add-in. +- **Provider** Name of the provider for this add-in. +- **Usage** Data regarding usage of the add-in. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove @@ -4015,6 +4301,7 @@ This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd e The following fields are available: +- **CensusId** A unique hardware identifier. - **ChecksumDictionary** A count of each operating system indicator. - **PCFP** Equivalent to the InventoryId field that is found in other core events. @@ -4091,6 +4378,60 @@ The following fields are available: ## OneDrive events +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState This event includes basic data about the installation state of dependent OneDrive components. @@ -4140,102 +4481,6 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -4292,6 +4537,17 @@ This event sends basic metadata about the update installation process generated +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + ### SetupPlatformTel.SetupPlatfOrmTelEvent This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. @@ -4375,7 +4631,7 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4388,6 +4644,36 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + ### SoftwareUpdateClientTelemetry.Download Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). @@ -4457,7 +4743,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. @@ -4478,6 +4764,58 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + ### SoftwareUpdateClientTelemetry.Install This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. @@ -4494,6 +4832,7 @@ The following fields are available: - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. - **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. @@ -4534,7 +4873,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4544,6 +4883,7 @@ The following fields are available: - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. - **TransactionCode** The ID that represents a given MSI installation. - **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -4584,7 +4924,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4605,7 +4945,7 @@ The following fields are available: - **CmdLineArgs** Command line arguments passed in by the caller. - **EventInstanceID** A globally unique identifier for the event instance. - **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **WUDeviceID** Unique device ID controlled by the software distribution client. @@ -4644,7 +4984,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4665,10 +5005,41 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. +- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** Validity window in effect when verifying the timestamp + + ## System Resource Usage Monitor events ### Microsoft.Windows.Srum.Sdp.CpuUsage @@ -5078,9 +5449,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -5218,9 +5589,9 @@ The following fields are available: - **FlightData** Specifies a unique identifier for each group of Windows Insider builds. - **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator's last known operation (scan, download, etc.). +- **Operation** Facilitator’s last known operation (scan, download, etc.). - **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned by Setup for the entire operation. +- **ResultCode** Result returned by setup for the entire operation. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). - **ScenarioId** Identifies the update scenario. - **TargetBranch** Branch of the target OS. @@ -5356,8 +5727,597 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Microsoft Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + ## Windows Update Delivery Optimization events +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -5380,6 +6340,20 @@ The following fields are available: - **sessionID** The ID of the download session. +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -5599,6 +6573,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel This event indicates that Windows Update activity was blocked due to low battery level. @@ -5611,6 +6597,47 @@ The following fields are available: - **wuDeviceid** Device ID. +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** Reason why the device could not check for updates. +- **detectionBlockingPolicy** State of update action. +- **detectionBlockreason** Reason for detection not completing. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The returned error code. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session was user initiated. +- **networkStatus** Error info +- **revisionNumber** Update revision number. +- **scanTriggerSource** Source of the triggered scan. +- **updateId** Update ID. +- **updateScenarioType** Update Session type +- **wuDeviceid** Device ID + + ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded This event indicates the reboot was postponed due to needing a display. @@ -5627,6 +6654,23 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. @@ -5695,7 +6739,7 @@ The following fields are available: - **revisionNumber** Revision number of the update. - **updateId** Update ID. - **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.Indicates the exact state of the user experience at the time the required reboot was initiated. - **wuDeviceid** Unique device ID used by Windows Update. @@ -6025,21 +7069,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS The following fields are available: -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Number of mounted images. -- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. -- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. -- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. -- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. -- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. -- **RelatedCV** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. @@ -6066,4 +7110,49 @@ The following fields are available: - **WuId** Unique ID for the Windows Update client. +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index cd8898c653..37a8b7a031 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -365,7 +365,7 @@ Use the appropriate value in the table below when you configure the management p | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. ### Use Group Policy to set the diagnostic data level diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 801539efd6..98296c6b76 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -36,8 +36,6 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "daniha", - "ms.date": "05/10/2018", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 8952d30367..e1797ff113 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 11/9/2018 author: danihalfin ms.author: daniha --- @@ -309,33 +309,6 @@ The following fields are available: - **isTrustletRunning:** Indicates whether an enhanced security component is currently running - **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not -## Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys) -- **certThumbprint:** Certificate thumbprint - -## Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **caThumbprints:** Intermediate certificate thumbprints -- **rootThumbprint:** Root certificate thumbprint -- **serverName:** Server name associated with the certificate -- **serverThumbprint:** Server certificate thumbprint -- **statusBits:** Certificate status - -## Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys) -- **certThumbprint:** Certificate thumbprint - ## Microsoft.Windows.Security.Winlogon.SystemBootStop System boot has completed. @@ -437,5 +410,8 @@ A previous revision of this list stated that a field named PartA_UserSid was a m ### Office events added In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics. +### CertAnalytics events removed +In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 3 "CertAnalytics" events were removed, as they are no longer required for Windows Analytics. + >[!NOTE] >You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic. diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index dd46e67249..273464ae5a 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -1,5 +1,5 @@ --- -title: Windows 10 and the GDPR for IT Decision Makers +title: Windows and the GDPR-Information for IT Administrators and Decision Makers description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). keywords: privacy, GDPR, windows, IT ms.prod: w10 @@ -11,12 +11,17 @@ author: danihalfin ms.author: daniha ms.date: 05/11/2018 --- -# Windows 10 and the GDPR for IT Decision Makers +# Windows and the GDPR: Information for IT Administrators and Decision Makers Applies to: +- Windows 10, version 1809 - Windows 10, version 1803 - Windows 10, version 1709 - Windows 10, version 1703 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. @@ -35,7 +40,7 @@ Here are some GDPR fundamentals: * The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. * A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. -Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. +Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. ### What is personal data under the GDPR? @@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. Some other examples of Windows functional data: -* The Weather app which uses the device’s location to retrieve local weather or community news. +* The Weather app which can use the device’s location to retrieve local weather or community news. * Wallpaper and desktop settings that are synchronized across multiple devices. For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). @@ -100,10 +105,10 @@ Some examples of diagnostic data include: * The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. * For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. -To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). >[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers. +>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. ### Windows services where Microsoft is the processor under the GDPR @@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo >The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. >[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. +>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. #### Windows Defender ATP @@ -140,27 +145,43 @@ The following table lists in what GDPR mode – controller or processor – Wind | Service | Microsoft GDPR mode of operation | | --- | --- | -| Windows Functional data | Controller | +| Windows Functional data | Controller or Processor* | | Windows Diagnostic data | Controller | | Windows Analytics | Processor | | Windows Defender Advanced Threat Detection (ATP) | Processor | *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* -## Recommended diagnostic data level settings +*/*Depending on which application/feature this is referring to.* -Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. +## Windows diagnostic data and Windows 10 -* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +### Recommended Windows 10 settings + +Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. + +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). >[!NOTE] >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. -* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10. +>[!NOTE] +>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. -## Controlling the data collection and notification about it +### Additional information for Windows Analytics + +Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. + +Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +>[!NOTE] +>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy +). + +## Controlling Windows 10 data collection and notification about it Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. @@ -200,10 +221,43 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. -## At-a-glance: the relationship between an IT organization and the GDPR +### At-a-glance: the relationship between an IT organization and the GDPR Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. +## Windows Server + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. + +More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. + +### Windows diagnostic data and Windows Server + +The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. + +IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. + +There are two options for deleting Windows diagnostic data from a Windows Server machine: + +- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. +- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). + +### Backups and Windows Server + +Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. + +- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). +- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. + +## Windows 10 Team Edition, Version 1703 for Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +>[!NOTE] +>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. + +An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). + ## Further reading ### Optional settings / features that further improve the protection of personal data @@ -215,11 +269,11 @@ Personal data protection is one of the goals of the GDPR. One way of improving p ### Windows Security Baselines -Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). +Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). ### Windows Restricted Traffic Limited Functionality Baseline -To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). +To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). >[!IMPORTANT] >Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index 5a54e998e6..a8a0214f4a 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -293,7 +293,7 @@ For example, employees can’t send protected work files from a personal email a #### Capabilities to classify, assign permissions and share data Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. -To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. +To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests. @@ -332,4 +332,4 @@ This article does not provide you with any legal rights to any intellectual prop Published September 2017
    Version 1.0
    -© 2017 Microsoft. All rights reserved. \ No newline at end of file +© 2017 Microsoft. All rights reserved. diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md new file mode 100644 index 0000000000..ee8ecf4a8b --- /dev/null +++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md @@ -0,0 +1,92 @@ +--- +title: MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL +description: MICROSOFT SOFTWARE LICENSE TERMS +keywords: privacy, license, terms +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 11/16/2018 +robots: noindex,nofollow +--- + +MICROSOFT SOFTWARE LICENSE TERMS + +MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL + + + +These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. + +1. INSTALLATION AND USE RIGHTS. + +a) General. You may install and use any number of copies of the software. + +b) Third Party Software. The software may include third party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third party applications are for your information only. + +2. DATA COLLECTION. The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve Microsoft’s products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software. If you use these features to enable data collection in your applications, you must comply with applicable law, including getting any required user consent, and maintain a prominent privacy policy that accurately informs users about how you use, collect, and share their data. You can learn more about Microsoft’s data collection and use in the product documentation and the Microsoft Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=512132. You agree to comply with all applicable provisions of the Microsoft Privacy Statement. + +3. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to): + +a) work around any technical limitations in the software that only allow you to use it in certain ways; + +b) reverse engineer, decompile or disassemble the software; + +c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software; + +d) use the software in any way that is against the law or to create or propagate malware; or + +e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party. + +4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit http://aka.ms/exporting. + +5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind. + +6. ENTIRE AGREEMENT. This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software. + +7. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES. If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court. + +8. CONSUMER RIGHTS; REGIONAL VARIATIONS. This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you: + +a) Australia. You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights. + +b) Canada. If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you re-connect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software. + +c) Germany and Austria. + +i. Warranty. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software. + +ii. Limitation of Liability. In case of intentional conduct, gross negligence, claims based on the Product Liability Act, as well as, in case of death or personal or physical injury, Microsoft is liable according to the statutory law. + +Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence. + +9. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. + +10. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. + +This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law. + +It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages. + + + +Please note: As this software is distributed in Canada, some of the clauses in this agreement are provided below in French. + +Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. + +EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. + +LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. + +Cette limitation concerne: + +• tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et + +• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur. + +Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. + +EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. \ No newline at end of file diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 865d98939f..5c89da41a0 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -16,8 +16,9 @@ ms.date: 06/05/2018 **Applies to** -- Windows 10 Enterprise, version 1607 and newer -- Windows Server 2016 +- Windows 10 Enterprise, version 1607 and newer +- Windows Server 2016 +- Windows Server 2019 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +## What's new in Windows 10, version 1809 Enterprise edition + +Here's a list of changes that were made to this article for Windows 10, version 1809: + +- Added a policy to disable Windows Defender SmartScreen + ## What's new in Windows 10, version 1803 Enterprise edition Here's a list of changes that were made to this article for Windows 10, version 1803: @@ -74,17 +81,17 @@ Here's a list of changes that were made to this article for Windows 10, version - Added the following Group Policies: - - Prevent managing SmartScreen Filter - - Turn off Compatibility View - - Turn off Automatic Download and Install of updates - - Do not connect to any Windows Update locations - - Turn off access to all Windows Update features - - Specify Intranet Microsoft update service location - - Enable Windows NTP client - - Turn off Automatic download of the ActiveX VersionList - - Allow Automatic Update of Speech Data - - Accounts: Block Microsoft Accounts - - Do not use diagnostic data for tailored experiences + - Prevent managing SmartScreen Filter + - Turn off Compatibility View + - Turn off Automatic Download and Install of updates + - Do not connect to any Windows Update locations + - Turn off access to all Windows Update features + - Specify Intranet Microsoft update service location + - Enable Windows NTP client + - Turn off Automatic download of the ActiveX VersionList + - Allow Automatic Update of Speech Data + - Accounts: Block Microsoft Accounts + - Do not use diagnostic data for tailored experiences ## Management options for each setting @@ -99,20 +106,20 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [17. Settings > Privacy](#bkmk-settingssection) | | | | | | @@ -142,12 +149,14 @@ The following table lists management options for each setting, beginning with Wi | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | | [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [29. License Manager](#bkmk-licmgr) | | | | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 with Desktop Experience @@ -202,6 +211,63 @@ See the following table for a summary of the management settings for Windows Ser | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +### Settings for Windows Server 2019 + +See the following table for a summary of the management settings for Windows Server 2019. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + ## How to configure each setting Use the following sections for more information about how to configure each setting. @@ -219,18 +285,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** - -and- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. - -or- + -or- - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1. - -and- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. @@ -294,11 +360,11 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the ** 9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - For **Protocol type**, choose **TCP**. + - For **Protocol type**, choose **TCP**. - - For **Local port**, choose **All Ports**. + - For **Local port**, choose **All Ports**. - - For **Remote port**, choose **All ports**. + - For **Remote port**, choose **All ports**. If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost. @@ -316,39 +382,47 @@ For Windows 10 only, the following Cortana MDM policies are available in the [Po You can prevent Windows from setting the time automatically. -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - -or- + -or- -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. After that, configure the following: -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** > [!NOTE] > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client** - -or - + -or - - Create a new REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to 0 (zero). ### 4. Device metadata retrieval -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +To prevent Windows from retrieving device metadata from the Internet: -You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + + -or - + +- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). + + -or - + +- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). ### 5. Find My Device To turn off Find My Device: -- Turn off the feature in the UI +- Turn off the feature in the UI - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** +- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FindMyDevice\\AllowFindMyDevice** to 0 (zero). @@ -364,9 +438,9 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: - In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **false**. Font streaming is disabled. + - **false**. Font streaming is disabled. - - **true**. Font streaming is enabled. + - **true**. Font streaming is enabled. If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1. @@ -393,35 +467,35 @@ To turn off Insider Preview builds for Windows 10: > [!NOTE] > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - -or - + -or - - Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero) - -or- + -or- -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **0**. Users cannot make their devices available for downloading and installing preview software. + - **0**. Users cannot make their devices available for downloading and installing preview software. - - **1**. Users can make their devices available for downloading and installing preview software. + - **1**. Users can make their devices available for downloading and installing preview software. - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -or- + -or- -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - **0**. Users cannot make their devices available for downloading and installing preview software. + - **0**. Users cannot make their devices available for downloading and installing preview software. - - **1**. Users can make their devices available for downloading and installing preview software. + - **1**. Users can make their devices available for downloading and installing preview software. - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. ### 8. Internet Explorer @@ -445,13 +519,14 @@ Alternatively, you could use the registry to set the Group Policies. | Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
    REG_DWORD: PolicyDisableGeolocation
    Value: 1 | | Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
    REG_DWORD: EnabledV9
    Value: 0 | -There are three more Group Policy objects that are used by Internet Explorer: +There are more Group Policy objects that are used by Internet Explorer: | Path | Policy | Description | | - | - | - | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
    Default: Disabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
    Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
    Default: Enabled | +| **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Allow Online Tips** | Allow Online Tips | Enables or disables the retrieval of online tips and help for the Settings app.
    Set to : Disabled | You can also use registry entries to set these Group Policies. @@ -460,6 +535,10 @@ You can also use registry entries to set these Group Policies. | Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
    REG_DWORD: MSCompatibilityMode
    Value: 0| | Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
    REG_DWORD: Enabled
    Value: 0| | Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
    REG_DWORD: BackgroundSyncStatus
    Value: 0| +| Turn off Online Tips | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
    REG_DWORD: AllowOnlineTips
    Value: 0| + +1. HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AllowOnlineTips, 0, Null, Fail + To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**. @@ -475,7 +554,7 @@ You can turn this off by: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** - -or - + -or - - Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). @@ -485,11 +564,11 @@ For more info, see [Out-of-date ActiveX control blocking](https://technet.micros To turn off Live Tiles: -- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** - -or- + -or- -- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. @@ -497,33 +576,35 @@ In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. To turn off mail synchronization for Microsoft Accounts that are configured on a device: -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - -or- + -or- -- Remove any Microsoft Accounts from the Mail app. +- Remove any Microsoft Accounts from the Mail app. - -or- + -or- -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. To turn off the Windows Mail app: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -or- + -or- -- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). ### 11. Microsoft Account -To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. +To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). -- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. +- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. - -or- + -or- - Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3. + + To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. @@ -547,11 +628,10 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
    Default: Disabled | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
    Default: Enabled | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
    Default: Enabled | -| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
    Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
    Default: Enabled | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
    Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
    Default: Enabled | | Configure Start pages | Choose the Start page for domain-joined devices.
    Set this to **\** | -| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
    Default: Disabled | - +| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
    Set to: Enable | The Windows 10, version 1511 Microsoft Edge Group Policy names are: @@ -579,6 +659,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin | Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
    REG_DWORD name: EnabledV9
    Value: 0 | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
    REG_DWORD name: AllowWebContentOnNewTabPage
    Value: 0 | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
    REG_DWORD name: ProvisionedHomePages
    Value: 0| +| Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
    REG_DWORD name: PreventFirstRunPage
    Value: 1| ### 12.2 Microsoft Edge MDM policies @@ -606,48 +687,60 @@ In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2 You can turn off NCSI by doing one of the following: -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** -- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1. > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. -or- -- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). ### 14. Offline maps You can turn off the ability to download and update offline maps. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - -or- + -or- -- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). - -and- + -or- + +- In Windows 10, version 1607 and later, apply the Maps/EnableOfflineMapsAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate) with a value of 0. + + -and- - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** - -or- + -or- -- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). + + -or- + +- In Windows 10, version 1703 and later, apply the Settings/PageVisibilityList MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) with a value of "hide:maps;maps-downloadmaps". ### 15. OneDrive To turn off OneDrive in your organization: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + + -or- + +- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). + + -and- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)** -or- -- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). - - -and- - -- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). ### 16. Preinstalled apps @@ -655,117 +748,117 @@ Some preinstalled apps get content before they are opened to ensure a great expe To remove the News app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** To remove the Weather app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** To remove the Money app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** To remove the Sports app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** To remove the Twitter app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** To remove the XBOX app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** To remove the Sway app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** To remove the OneNote app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** To remove the Get Office app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** To remove the Get Skype app: -- Right-click the Sports app in Start, and then click **Uninstall**. +- Right-click the Sports app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** To remove the Sticky notes app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** @@ -773,43 +866,43 @@ To remove the Sticky notes app: Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [17.1 General](#bkmk-general) +- [17.1 General](#bkmk-general) -- [17.2 Location](#bkmk-priv-location) +- [17.2 Location](#bkmk-priv-location) -- [17.3 Camera](#bkmk-priv-camera) +- [17.3 Camera](#bkmk-priv-camera) -- [17.4 Microphone](#bkmk-priv-microphone) +- [17.4 Microphone](#bkmk-priv-microphone) -- [17.5 Notifications](#bkmk-priv-notifications) +- [17.5 Notifications](#bkmk-priv-notifications) -- [17.6 Speech, inking, & typing](#bkmk-priv-speech) +- [17.6 Speech, inking, & typing](#bkmk-priv-speech) -- [17.7 Account info](#bkmk-priv-accounts) +- [17.7 Account info](#bkmk-priv-accounts) -- [17.8 Contacts](#bkmk-priv-contacts) +- [17.8 Contacts](#bkmk-priv-contacts) -- [17.9 Calendar](#bkmk-priv-calendar) +- [17.9 Calendar](#bkmk-priv-calendar) -- [17.10 Call history](#bkmk-priv-callhistory) +- [17.10 Call history](#bkmk-priv-callhistory) -- [17.11 Email](#bkmk-priv-email) +- [17.11 Email](#bkmk-priv-email) -- [17.12 Messaging](#bkmk-priv-messaging) +- [17.12 Messaging](#bkmk-priv-messaging) -- [17.13 Radios](#bkmk-priv-radios) +- [17.13 Radios](#bkmk-priv-radios) -- [17.14 Other devices](#bkmk-priv-other-devices) +- [17.14 Other devices](#bkmk-priv-other-devices) -- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [17.16 Background apps](#bkmk-priv-background) +- [17.16 Background apps](#bkmk-priv-background) -- [17.17 Motion](#bkmk-priv-motion) +- [17.17 Motion](#bkmk-priv-motion) -- [17.18 Tasks](#bkmk-priv-tasks) +- [17.18 Tasks](#bkmk-priv-tasks) -- [17.19 App Diagnostics](#bkmk-priv-diag) +- [17.19 App Diagnostics](#bkmk-priv-diag) ### 17.1 General @@ -822,33 +915,33 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba > [!NOTE] > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - -or- + -or- -- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). - -or- + -or- -- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Let websites provide locally relevant content by accessing my language list**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let Windows track app launches to improve Start and search results**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- - Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** with value of 0 (zero). @@ -859,51 +952,33 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin > [!NOTE] > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - -or- + -or- -- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). - -or- + -or- -- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. +- Create a provisioning package, using: + - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** + - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. + -or- - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - -- Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** - - -or- - -- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero). - - -or- - -- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero). To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: @@ -912,35 +987,35 @@ To turn off **Send Microsoft info about how I write to help us improve typing an -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **0**. Not allowed + - **0**. Not allowed - - **1**. Allowed (default) + - **1**. Allowed (default) To turn off **Let websites provide locally relevant content by accessing my language list**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let apps on my other devices open apps and continue experiences on this devices**: - Turn off the feature in the UI. - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. - -or- + -or- -- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: @@ -952,58 +1027,58 @@ In the **Location** area, you choose whether devices have access to location-spe To turn off **Location for this device**: -- Click the **Change** button in the UI. +- Click the **Change** button in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). - -or- + -or- -- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Turned off and the employee can't turn it back on. + - **0**. Turned off and the employee can't turn it back on. - - **1**. Turned on, but lets the employee choose whether to use it. (default) + - **1**. Turned on, but lets the employee choose whether to use it. (default) - - **2**. Turned on and the employee can't turn it off. + - **2**. Turned on and the employee can't turn it off. > [!NOTE] > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - **No**. Turns off location service. + - **No**. Turns off location service. - - **Yes**. Turns on location service. (default) + - **Yes**. Turns on location service. (default) To turn off **Location**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). - -or- + -or- To turn off **Location history**: -- Erase the history using the **Clear** button in the UI. +- Erase the history using the **Clear** button in the UI. To turn off **Choose apps that can use your location**: -- Turn off each app using the UI. +- Turn off each app using the UI. ### 17.3 Camera @@ -1011,40 +1086,40 @@ In the **Camera** area, you can choose which apps can access a device's camera. To turn off **Let apps use my camera**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). - -or- + -or- -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Apps can't use the camera. + - **0**. Apps can't use the camera. - - **1**. Apps can use the camera. + - **1**. Apps can use the camera. > [!NOTE] > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). - -or- + -or- -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - **0**. Apps can't use the camera. + - **0**. Apps can't use the camera. - - **1**. Apps can use the camera. + - **1**. Apps can use the camera. To turn off **Choose apps that can use your camera**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.4 Microphone @@ -1052,29 +1127,29 @@ In the **Microphone** area, you can choose which apps can access a device's micr To turn off **Let apps use my microphone**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where: +- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) To turn off **Choose apps that can use your microphone**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.5 Notifications @@ -1083,45 +1158,45 @@ To turn off **Choose apps that can use your microphone**: To turn off notifications network usage: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** - - Set to **Enabled**. + - Set to **Enabled**. - -or- + -or- -- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) - -or- + -or- -- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: +- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: - - **0**. WNS notifications allowed - - **1**. No WNS notifications allowed + - **0**. WNS notifications allowed + - **1**. No WNS notifications allowed In the **Notifications** area, you can also choose which apps have access to notifications. To turn off **Let apps access my notifications**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: +- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) ### 17.6 Speech, inking, & typing @@ -1132,19 +1207,19 @@ In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better To turn off the functionality: -- Click the **Stop getting to know me** button, and then click **Turn off**. +- Click the **Stop getting to know me** button, and then click **Turn off**. - -or- + -or- -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - -or- + -or- -- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). - -or- + -or- -- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). -and- @@ -1158,10 +1233,10 @@ If you're running at least Windows 10, version 1607, you can turn off updates to Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where: -- **0** (default). Not allowed. -- **1**. Allowed. +- **0** (default). Not allowed. +- **1**. Allowed. - -or- + -or- - Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero). @@ -1171,29 +1246,29 @@ In the **Account Info** area, you can choose which apps can access your name, pi To turn off **Let apps access my name, picture, and other account info**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where: +- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose the apps that can access your account info**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.8 Contacts @@ -1201,23 +1276,23 @@ In the **Contacts** area, you can choose which apps can access an employee's con To turn off **Choose apps that can access contacts**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: +- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). @@ -1227,29 +1302,29 @@ In the **Calendar** area, you can choose which apps have access to an employee's To turn off **Let apps access my calendar**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where: +- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can access calendar**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.10 Call history @@ -1257,25 +1332,25 @@ In the **Call history** area, you can choose which apps have access to an employ To turn off **Let apps access my call history**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where: + - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.11 Email @@ -1283,25 +1358,25 @@ In the **Email** area, you can choose which apps have can access and send email. To turn off **Let apps access and send email**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where: + - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.12 Messaging @@ -1309,29 +1384,39 @@ In the **Messaging** area, you can choose which apps can read or send messages. To turn off **Let apps read or send messages (text or MMS)**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where: +- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can read or send messages**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. + +**To turn off Message Sync** + +- Create a REG\_DWORD registry setting named **AllowMessageSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\Messaging and set the value to 0. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging** + + - Set the **Allow Message Service Cloud** to **Disable**. ### 17.13 Phone calls @@ -1339,30 +1424,30 @@ In the **Phone calls** area, you can choose which apps can make phone calls. To turn off **Let apps make phone calls**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: +- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can make phone calls**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.14 Radios @@ -1370,30 +1455,30 @@ In the **Radios** area, you can choose which apps can turn a device's radio on o To turn off **Let apps control radios**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where: +- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can control radios**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.15 Other devices @@ -1401,44 +1486,42 @@ In the **Other Devices** area, you can choose whether devices that aren't paired To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** - -or- + -or- -- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where: +- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny + -or- - -or- - -- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - Set the **Select a setting** box to **Force Deny**. +- Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices +- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices ), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny - + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 17.16 Feedback & diagnostics @@ -1451,23 +1534,23 @@ To change how frequently **Windows should ask for my feedback**: -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - -or- + -or- -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - -or- + -or- -- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). - -or- + -or- -- Create the registry keys (REG\_DWORD type): +- Create the registry keys (REG\_DWORD type): - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod Based on these settings: @@ -1482,48 +1565,48 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- Click either the **Basic** or **Full** options. +- Click either the **Basic** or **Full** options. - -or- + -or- -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. - -or- + -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). > [!NOTE] > If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition. - -or- + -or- -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Maps to the **Security** level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the **Basic** level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the **Enhanced** level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the **Full** level. + - **3**. Maps to the **Full** level. - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - **0**. Maps to the **Security** level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the **Basic** level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the **Enhanced** level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the **Full** level. + - **3**. Maps to the **Full** level. To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** @@ -1533,25 +1616,25 @@ In the **Background Apps** area, you can choose which apps can run in the backgr To turn off **Let apps run in the background**: -- In **Background apps**, set **Let apps run in the background** to **Off**. +- In **Background apps**, set **Let apps run in the background** to **Off**. - -or- + -or- -- In **Background apps**, turn off the feature for each app. +- In **Background apps**, turn off the feature for each app. - -or- + -or- -- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** +- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where: +- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny > [!NOTE] > Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**. @@ -1562,23 +1645,23 @@ In the **Motion** area, you can choose which apps have access to your motion dat To turn off **Let Windows and your apps use your motion data and collect motion history**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** - -or- + -or- -- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where: +- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.19 Tasks @@ -1586,21 +1669,21 @@ In the **Tasks** area, you can choose which apps have access to your tasks. To turn this off: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where: +- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 17.20 App Diagnostics @@ -1608,19 +1691,19 @@ In the **App diagnostics** area, you can choose which apps have access to your d To turn this off: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** - -or- + -or- -- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where: +- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 18. Software Protection Platform @@ -1631,11 +1714,11 @@ For Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- + -or- -- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. +- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. - -or- + -or- - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). @@ -1643,7 +1726,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- + -or- - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). @@ -1654,37 +1737,41 @@ The Windows activation status will be valid for a rolling period of 180 days wit Enterprise customers can manage updates to the Disk Failure Prediction Model. For Windows 10: +- Disable this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model** -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model** + -or- + +- Create a REG\_DWORD registry setting named **AllowDiskHealthModelUpdates** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\StorageHealth** with a value of 0. ### 20. Sync your settings You can control if your settings are synchronized: -- In the UI: **Settings** > **Accounts** > **Sync your settings** +- In the UI: **Settings** > **Accounts** > **Sync your settings** - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). - -or- + -or- -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - **No**. Settings are not synchronized. + - **No**. Settings are not synchronized. - - **Yes**. Settings are synchronized. (default) + - **Yes**. Settings are synchronized. (default) To turn off Messaging cloud sync: +- Set the Group Policy Allow Message Service Cloud to Disable. The Group Policy path is Computer Configuration\Administrative templates\Windows Components\Messaging\Allow Message Service Cloud - Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). ### 21. Teredo @@ -1694,15 +1781,15 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. >[!NOTE] >If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work. -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. - -or- + -or- -- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. +- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. - -or- + -or- -- From an elevated command prompt, run **netsh interface teredo set state disabled** +- From an elevated command prompt, run **netsh interface teredo set state disabled** ### 22. Wi-Fi Sense @@ -1713,23 +1800,23 @@ Wi-Fi Sense automatically connects devices to known hotspots and to the wireless To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - -or- + -or- -- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). +- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). - -or- + -or- -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - -or- + -or- -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. @@ -1737,55 +1824,55 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr You can disconnect from the Microsoft Antimalware Protection Service. -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** - -or- + -or- -- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. +- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. - -or- + -or- -- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -or- + -or- -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - -and- + -and- From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** You can stop sending file samples back to Microsoft. -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - -or- + -or- -- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: +- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: - - **0**. Always prompt. + - **0**. Always prompt. - - **1**. (default) Send safe samples automatically. + - **1**. (default) Send safe samples automatically. - - **2**. Never send. + - **2**. Never send. - - **3**. Send all samples automatically. + - **3**. Send all samples automatically. - -or- + -or- -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. You can stop downloading definition updates: -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - -and- + -and- -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. +- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -or- + -or- -- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. +- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. For Windows 10 only, you can stop Enhanced Notifications: @@ -1793,19 +1880,49 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. +### 23.1 Windows Defender SmartScreen + +To disable Windows Defender Smartscreen: + +- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable** + + -or- + +- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero). + + -and- + +- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1. + + -and- + +- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 24. Windows Media Player To remove Windows Media Player on Windows 10: -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - -or- + -or- -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** To remove Windows Media Player on Windows Server 2016: -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** ### 25. Windows Spotlight @@ -1818,51 +1935,68 @@ If you're running Windows 10, version 1607 or later, you only need to enable the > [!NOTE] > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting. - -or- + -or- -- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). +- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). - -or- + -or- -- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). +- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + + +-and- + + +- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the Lock Screen** + + -or- + +- Create a new REG\_DWORD registry setting named **NoLockScreen** in **HKEY\Local\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). If you're not running Windows 10, version 1607 or later, you can use the other options in this section. -- Configure the following in **Settings**: +- Configure the following in **Settings**: - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. - > [!NOTE] - > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. + > [!NOTE] + > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - **System** > **Notifications & actions** > **Show me tips about Windows**. + - **System** > **Notifications & actions** > **Show me tips about Windows**. - -or- + -or- -- Apply the Group Policies: +- Apply the Group Policies: - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). + > [!NOTE] + > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting named **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -or- + -or- + + - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + + - This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen. + + - If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + + - If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. - - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). @@ -1873,17 +2007,17 @@ This will also turn off automatic app updates, and the Microsoft Store will be d In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). + - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). ### 26.1 Apps for websites @@ -1905,7 +2039,7 @@ In Windows 10, version 1607, you can stop network traffic related to Windows Upd You can set up Delivery Optimization from the **Settings** UI. -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. ### 27.2 Delivery Optimization Group Policies @@ -1913,13 +2047,13 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con | Policy | Description | |---------------------------|-----------------------------------------------------------------------------------------------------| -| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

    • None. Turns off Delivery Optimization.

    • Group. Gets or sends updates and apps to PCs on the same local network domain.

    • Internet. Gets or sends updates and apps to PCs on the Internet.

    • LAN. Gets or sends updates and apps to PCs on the same NAT only.

    • Simple. Simple download mode with no peering.

    • Bypass. Use BITS instead of Windows Update Delivery Optimization.

    | +| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

    • None. Turns off Delivery Optimization.

    • Group. Gets or sends updates and apps to PCs on the same local network domain.

    • Internet. Gets or sends updates and apps to PCs on the Internet.

    • LAN. Gets or sends updates and apps to PCs on the same NAT only.

    • Simple. Simple download mode with no peering.

    • Bypass. Use BITS instead of Windows Update Delivery Optimization.Set to Bypass to restrict traffic.

    | | Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
    **Note:** This ID must be a GUID.| | Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
    The default value is 259200 seconds (3 days).| | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
    The default value is 20, which represents 20% of the disk.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
    The default value is 0, which means unlimited possible bandwidth.| -You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting named **DODownloadMode** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** with a value of 100 (one hundred). +Set the Delivery Optimization Group Policy to "Bypass" to prevent traffic. Alternatively, you can set the **Download Mode** policy by creating a new REG\_DWORD registry setting named **DODownloadMode** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of 100 (one hundred). ### 27.3 Delivery Optimization MDM policies @@ -1927,7 +2061,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | Policy | Description | |---------------------------|-----------------------------------------------------------------------------------------------------| -| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

    • 0. Turns off Delivery Optimization.

    • 1. Gets or sends updates and apps to PCs on the same NAT only.

    • 2. Gets or sends updates and apps to PCs on the same local network domain.

    • 3. Gets or sends updates and apps to PCs on the Internet.

    • 99. Simple download mode with no peering.

    • 100. Use BITS instead of Windows Update Delivery Optimization.

    | +| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

    • 0. Turns off Delivery Optimization.

    • 1. Gets or sends updates and apps to PCs on the same NAT only.

    • 2. Gets or sends updates and apps to PCs on the same local network domain.

    • 3. Gets or sends updates and apps to PCs on the Internet.

    • 99. Simple download mode with no peering.

    • 100. Use BITS instead of Windows Update Delivery Optimization.

    | | DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
    **Note** This ID must be a GUID.| | DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
    The default value is 259200 seconds (3 days).| | DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
    The default value is 20, which represents 20% of the disk.| @@ -1954,47 +2088,66 @@ For more info about Delivery Optimization in general, see [Windows Update Delive You can turn off Windows Update by setting the following registry entries: -- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -and- + -and- -- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -and- + -and- -- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. +- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. - -and- + -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. - -and- + -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ". +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ". You can turn off automatic updates by doing one of the following. This is not recommended. -- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. +- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - -or- + -or- -- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where: +- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where: - - **0**. Notify the user before downloading the update. + - **0**. Notify the user before downloading the update. - - **1**. Auto install the update and then notify the user to schedule a device restart. + - **1**. Auto install the update and then notify the user to schedule a device restart. - - **2** (default). Auto install and restart. + - **2** (default). Auto install and restart. - - **3**. Auto install and restart at a specified time. + - **3**. Auto install and restart at a specified time. - - **4**. Auto install and restart without end-user control. + - **4**. Auto install and restart without end-user control. - - **5**. Turn off automatic updates. + - **5**. Turn off automatic updates. + + +### 29. License Manager + +You can turn off License Manager related traffic by setting the following registry entry: + +- Add a REG\_DWORD value named **Start** to **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the value to 4 + +- The value 4 is to disable the service. Here are the available options to set the registry: + + - **0x00000000** = Boot + + - **0x00000001** = System + + - **0x00000002** = Automatic + + - **0x00000003** = Manual + + - **0x00000004** = Disabled To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md new file mode 100644 index 0000000000..2e754c9ad3 --- /dev/null +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -0,0 +1,489 @@ +--- +title: Connection endpoints for Windows 10, version 1709 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1709 + +**Applies to** + +- Windows 10, version 1709 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | + + + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 versions and editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md similarity index 67% rename from windows/privacy/manage-windows-endpoints.md rename to windows/privacy/manage-windows-1803-endpoints.md index 721814aabe..f508978478 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -1,5 +1,5 @@ --- -title: Windows 10 connection endpoints +title: Connection endpoints for Windows 10, version 1803 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -10,11 +10,11 @@ author: danihalfin ms.author: daniha ms.date: 6/26/2018 --- -# Manage Windows 10 connection endpoints +# Manage connection endpoints for Windows 10, version 1803 **Applies to** -- Windows 10, version 1709 and later +- Windows 10, version 1803 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -46,252 +47,248 @@ We used the following methodology to derive these network endpoints: The following endpoint is used to download updates to the Weather app Live Tile. If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| explorer | HTTP | tile-service.weather.microsoft.com | 1709 | -| | HTTP | blob.weather.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | wildcard.twimg.com | 1709 | -| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | star-mini.c10r.facebook.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | TLS v1.2 | candycrushsoda.king.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | The following endpoint is used by the Groove Music app for update HTTP handler status. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | ## Cortana and Search The following endpoint is used to get images that are used for Microsoft Store suggestions. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui | HTTPS |store-images.s-microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | ## Certificates -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | - -The following endpoints are used to download certificates that are publicly known to be fraudulent. +Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | ## Device authentication The following endpoint is used to authenticate a device. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | login.live.com/ppsecure | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | ## Device metadata The following endpoint is used to retrieve device metadata. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | dmd.metaservices.microsoft.com.akadns.net | 1709 | -| | HTTP | dmd.metaservices.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | ## Diagnostic Data The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| wermgr | | watson.telemetry.microsoft.com | 1709 | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | ## Font streaming The following endpoints are used to download fonts on demand. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | fs.microsoft.com | 1709 | -| | | fs.microsoft.com/fs/windows/config.json | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | ## Licensing The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | ## Location The following endpoint is used for location data. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | location-inference-westus.cloudapp.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | ## Maps The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *g.akamaiedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | ## Microsoft account The following endpoints are used for Microsoft accounts to sign in. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | login.msa.akadns6.net | 1709 | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | ## Microsoft Store The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.wns.windows.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | The following endpoints are used to communicate with Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 | -| | HTTP | pti.store.microsoft.com | 1709 | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 | -| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | ## Network Connection Status Indicator (NCSI) Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | ## Office @@ -299,74 +296,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.a-msedge.net | 1709 | -| hxstr | | *.c-msedge.net | 1709 | -| | | *.e-msedge.net | 1709 | -| | | *.s-msedge.net | 1709 | -| | HTTPS | ocos-office365-s2s.msedge.net | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| ## OneDrive The following endpoint is a redirection service that’s used to automatically update URLs. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTPS | oneclient.sfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | ## Settings The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | HTTPS | settings.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | settings-win.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | ## Skype The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | @@ -375,102 +372,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | wdcp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | The following endpoints are used for Windows Defender definition updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | definitionupdates.microsoft.com | 1709 | -|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | ## Windows Spotlight The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | arc.msn.com | 1709 | -| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 | -| |TLS v1.2| *.search.msn.com | 1709 | -| | HTTPS | ris.api.iris.microsoft.com | 1709 | -| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | ## Windows Update The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | The following endpoints are used to download operating system patches and updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | *.windowsupdate.com | 1709 | -| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | cds.d2s7q6s2.hwcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | *wac.phicdn.net | 1709 | -| | | *wac.edgecastcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | emdl.ws.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | fe2.update.microsoft.com | 1709 | -| svchost | | fe3.delivery.mp.microsoft.com | 1709 | -| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 | -| svchost | HTTPS | sls.update.microsoft.com | 1709 | -| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | The following endpoints are used to download content. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | a122.dscd.akamai.net | 1709 | -| | | a1621.g.akamai.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | ## Microsoft forward link redirection service (FWLink) @@ -478,12 +475,16 @@ The following endpoint is used by the Microsoft forward link redirection service If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Various|HTTPS|go.microsoft.com| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md new file mode 100644 index 0000000000..7c645311a6 --- /dev/null +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -0,0 +1,527 @@ +--- +title: Connection endpoints for Windows 10, version 1809 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 1809 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index 72a79162f0..89c04ebc76 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md index ea2c517a4f..39343b19d9 100644 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -48,13 +49,14 @@ We used the following methodology to derive these network endpoints: | cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -|dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | | fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | @@ -63,21 +65,24 @@ We used the following methodology to derive these network endpoints: | ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | | query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | | ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | | settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | | sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | | storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | | tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | | watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | ## Windows 10 Pro - | **Destination** | **Protocol** | **Description** | | --- | --- | --- | | *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | @@ -92,11 +97,13 @@ We used the following methodology to derive these network endpoints: | cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | @@ -118,6 +125,7 @@ We used the following methodology to derive these network endpoints: | au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | | cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | | client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store | config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | | ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | | cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | @@ -129,6 +137,7 @@ We used the following methodology to derive these network endpoints: | fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | | g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | @@ -138,11 +147,14 @@ We used the following methodology to derive these network endpoints: | ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | | sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | | storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | | vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | | watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | +| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md new file mode 100644 index 0000000000..222b37d0e2 --- /dev/null +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -0,0 +1,159 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|*.aria.microsoft.com* | HTTPS | Office Telemetry +|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. +|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. +|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|*.Skype.com | HTTP/HTTPS | Skype related traffic +|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic +|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. +|*cdn.onenote.net* | HTTP | OneNote related traffic +|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic +|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|*maps.windows.com* | HTTPS | Related to Maps application. +|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry +|*photos.microsoft.com* | HTTPS | Photos App related traffic +|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|*wac.phicdn.net* | HTTP | Windows Update related traffic +|*windowsupdate.com* | HTTP | Windows Update related traffic +|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.micorosoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 4c786622c8..e830022a97 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -59,6 +59,9 @@ This setting determines the amount of Windows diagnostic data sent to Microsoft. >| **Default setting** | 2 - Enhanced | >| **Recommended** | 2 - Enhanced | +>[!NOTE] +>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + #### Registry > [!div class="mx-tableFixed"] diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index c27c171f8d..53820f7491 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 07/30/2018 +ms.date: 12/10/2018 --- # Local Accounts @@ -16,15 +16,8 @@ ms.date: 07/30/2018 This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller. -**Did you mean…** - -- [Active Directory Accounts](active-directory-accounts.md) - -- [Microsoft Accounts](microsoft-accounts.md) - ## About local user accounts - Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. This topic describes the following: @@ -475,14 +468,9 @@ Passwords can be randomized by: - Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools. -- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789). +- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task. - **Note**   - This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage. - -   - -- Create and implement a custom script or solution to randomize local account passwords. +- Creating and implementing a custom script or solution to randomize local account passwords. ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index ccbb1809a4..515338ce7e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -51,7 +51,7 @@ For information about Windows Defender Remote Credential Guard hardware and soft ## Application requirements -When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. +When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. >[!WARNING] > Enabling Windows Defender Credential Guard on domain controllers is not supported.
    diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index d3128c154a..09530fefa8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -202,9 +202,9 @@ Active Directory Domain Services uses AdminSDHolder to secure privileged users a Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
    -```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```
    +```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```
    where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
    -```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink``` +```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink``` 2. To trigger security descriptor propagation, open **ldp.exe**. 3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**. 4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user. @@ -266,4 +266,4 @@ Users appreciate convenience of biometrics and administrators value the security - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 7ae1ab1d14..a3d175023d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -19,7 +19,7 @@ Windows Hello for Business authentication is passwordless, two-factor authentica Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
    [Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
    -[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)
    +[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)
    [Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
    [Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
    [Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
    @@ -38,7 +38,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c [Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Key -![Azure AD join authentication to Active Direotory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) +![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) | Phase | Description | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index a6b919a090..ce4c2db9b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -77,11 +77,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | | A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| -|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines directs device registration to Azure Device Registration Service (ADRS).| -|C | For the federated environments, the computer authenticates ADFS/STS using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. +|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| +|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.| -|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| -|G |If device write-back is enabled, on it's next synchronization cycle, Azure AD Connect requests updates from Azure Active Directory. Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.| +|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| +|G | If Azure AD Connect device write-back is enabled, Azure AD Connect requests updates from Azure Active Directory at its next synchronization cycle (device write-back is required for hybrid deployment using certificate trust). Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.| -[Return to top](#Windows-Hello-for-Business-and-Device-Registration) \ No newline at end of file +[Return to top](#Windows-Hello-for-Business-and-Device-Registration) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 2251f953d0..9ccd6b2fb8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -22,11 +22,12 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)
    [Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)
    -[Hybrid Azure AD joined provisioning in a Key Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment)
    -[Hybrid Azure AD joined provisioning in a Certificate Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment)
    -[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment)
    -[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-Onpremises-Key-Trust-deployment)
    -[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-Onpremises-Certificate-Trust-deployment)
    +[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment-in-a-Managed-envrionment)
    +[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment-in-a-Managed-environment)
    +[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Managed-environment)
    +[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Federated-environment)
    +[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Key-Trust-deployment)
    +[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Certificate-Trust-deployment)
    @@ -85,7 +86,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#Windows-Hello-for-Business-Provisioning) -## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environmnet +## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png) | Phase | Description | @@ -140,6 +141,6 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
    The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.| |E | The registration authority validates the public key in the certificate request matches a registered key for the user.
    After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.| |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.| -|G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.| +|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.| -[Return to top](#Windows-Hello-for-Business-Provisioning) \ No newline at end of file +[Return to top](#Windows-Hello-for-Business-Provisioning) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d47f46ccc8..dda2b53178 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -100,7 +100,7 @@ Sign-in to a domain controller or management workstation with access equivalent 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] -> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. +> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. ### Create the NDES Service Account The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account. @@ -517,8 +517,8 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. 2. Run the following commands
    -```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
    -```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
    +```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
    +```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
    3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector @@ -686,4 +686,4 @@ You have successfully completed the configuration. Add users that need to enrol > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune > * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) \ No newline at end of file +> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 9145280789..063a6f0ffc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -29,7 +29,7 @@ When using a key, the on-premises environment needs an adequate distribution of When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). -To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). +To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index ed91c63c54..ec4aa1375e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -66,7 +66,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o 3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. ```PowerShell - Install-AdcsCertificateAuthority + Install-AdcsCertificationAuthority ``` ## Configure a Production Public Key Infrastructure @@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review ### @@ -84,7 +84,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. -> * Root certifcate authority certificate (Azure AD Joined devices). +> * Root certificate authority certificate (Azure AD Joined devices). > * Highly available certificate revocation list (Azure AD Joined devices). ## Azure Active Directory ## @@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentiation features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index cd06ba9e92..b6cbd28438 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastructure](#public-key-infrastructure) +* [Public Key Infrastucture](#public-key-infastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authentication](#multifactor-authentication) @@ -114,9 +114,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
    ### Next Steps ### -Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. +Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. -For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. +For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**. For federated and non-federated environments, start with **Configure Windows Hello for Business settings**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 621818ce66..70dd6093e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -19,7 +19,7 @@ ms.date: 08/19/2018 - Key trust -## Directory Syncrhonization +## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 21befdf74e..d21998d065 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -46,7 +46,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 1a0b808710..ef10959add 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -37,7 +37,7 @@ Domain controllers automatically request a certificate from the *Domain Controll To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. -#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object +#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -169,4 +169,4 @@ Users must receive the Windows Hello for Business group policy settings and have 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business policy settings (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4d03a84747..9c0f5c3a35 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -39,7 +39,7 @@ Windows Hello addresses the following problems with passwords: * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory ### Hybrid Deployments -The table shows the minimum requirements for each deployment. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
    Group Policy managed | Certificate trust
    Mixed managed | Key trust
    Modern managed | Certificate trust
    Modern managed | | --- | --- | --- | --- | diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 2bc92aac17..0d2f3c602d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -197,8 +197,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 4. Click the **Members** tab and click **Add…** 5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. -7. Click **OK** to return to **Active Directory Users and Computers**. -8. Change to server hosting the AD FS role and restart it. +7. Change to server hosting the AD FS role and restart it. ## Configure the Device Registration Service diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index cd419ac1a4..5c80c9502b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -38,7 +38,7 @@ A lab or proof-of-concept environment does not need high-availability or scalabi Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. >[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article. +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article. Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md). @@ -47,4 +47,4 @@ Once you have validated all the requirements, please proceed to [Configure or De 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) 4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 764dacd461..7a7999914a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -64,7 +64,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 0d044aa31e..09dfdad4dc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -9,12 +9,11 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen ms.localizationpriority: high -ms.date: 05/05/2018 --- # Windows Hello for Business Overview **Applies to** -- Windows 10 +- Windows 10 In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 0836a4dfc0..0156ec9a78 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -22,10 +22,10 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 15f9ab184e..851edc7279 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -7,7 +7,7 @@ ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/19/2018 +ms.date: 11/16/2018 --- # How User Account Control works @@ -182,7 +182,7 @@ To better understand each component, review the table below:

    Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.


    • -

  • Never notify (Disable UAC) will:

    +

  • Never notify (Disable UAC prompts) will:

    • Not notify you when programs try to install software or make changes to your computer.
    • Not notify you when you make changes to Windows settings.
      • diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index ccd3bb3219..e69b8ed62c 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -10,7 +10,7 @@ ms.author: pashort manager: elizapo ms.reviewer: ms.localizationpriority: medium -ms.date: 04/20/2018 +ms.date: 01/26/2019 --- # VPN and conditional access @@ -30,9 +30,9 @@ Conditional Access Platform components used for Device Compliance include the fo - [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional) -- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. +- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. -- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. +- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. Additional details regarding the Azure AD issued short-lived certificate: - The default lifetime is 60 minutes and is configurable @@ -52,15 +52,13 @@ The following client-side components are also required: - Trusted Platform Module (TPM) ## VPN device compliance -According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them. +At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section. Server-side infrastructure requirements to support VPN device compliance include: -- The VPN server should be configured for certificate authentication. +- The VPN server should be configured for certificate authentication - The VPN server should trust the tenant-specific Azure AD CA -- Either of the below should be true for Kerberos/NTLM SSO: - - Domain servers trust Azure AD CA - - A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO) +- For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO) After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node. @@ -68,7 +66,7 @@ Two client-side configuration service providers are leveraged for VPN device com - VPNv2 CSP DeviceCompliance settings - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD. - - **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for Kerberos authentication in the case of device compliance. + - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication. - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication. - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication. - **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication. @@ -79,8 +77,7 @@ Two client-side configuration service providers are leveraged for VPN device com - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification >[!NOTE] ->Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD. - +>Currently, it is required that certificates be issued from an on-premises CA, and that SSO be enabled in the user’s VPN profile. This will enable the user to obtain Kerberos tickets in order to access resources on-premises. Kerberos currently does not support the use of Azure AD certificates. ## Client connection flow The VPN client side connection flow works as follows: @@ -89,7 +86,7 @@ The VPN client side connection flow works as follows: When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: -1. The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client. +1. The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client. 2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies. 3. If compliant, Azure AD requests a short-lived certificate 4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing. diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index d1af453ff6..6750ea0cc6 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -40,8 +40,8 @@ #### [Create a WIP policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) ### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) #### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) -### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) -### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) +#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) +#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) ### [Testing scenarios for WIP](windows-information-protection\testing-scenarios-for-wip.md) ### [Limitations while using WIP](windows-information-protection\limitations-with-wip.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index d536281716..0e713f66aa 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: Justinha -ms.date: 11/06/2018 +ms.date: 01/12/2019 --- # Overview of BitLocker Device Encryption in Windows 10 @@ -27,7 +27,6 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi | Windows 7 | Windows 10 | |---|---| | When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

      Network Unlock allows PCs to start automatically when connected to the internal network. | - | Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

      Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | @@ -58,7 +57,9 @@ With earlier versions of Windows, administrators had to enable BitLocker after W ## BitLocker Device Encryption -Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. +Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition. + +Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index b77aa70779..491f941bf8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -1,31 +1,23 @@ --- -title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10) -description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. +title: BitLocker How to deploy on Windows Server 2012 and later +description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.prod: w10 +ms.prod: windows-server-threshold ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 02/04/2019 --- # BitLocker: How to deploy on Windows Server 2012 and later -**Applies to** -- Windows 10 +> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 -This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. - -For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment. +This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server to install. ## Installing BitLocker -BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets. - -- To install BitLocker using Server Manager -- To install BitLocker using Windows PowerShell - ### To install BitLocker using Server Manager 1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe. diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 41a434f60a..3a6301c3fc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 09/17/2018 +ms.date: 01/26/2019 --- # BitLocker Management for Enterprises @@ -25,11 +25,11 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. -For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. +For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. ## Managing workplace-joined PCs and phones diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index ff6b35411f..8431b2341b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/16/2017 +ms.date: 01/26/2018 --- # BitLocker @@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen ## New and changed functionality -To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." +To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."   ## System requirements @@ -71,7 +71,7 @@ When installing the BitLocker optional component on a server you will also need | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | -| [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.| +| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.| | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. | | [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| | [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 68b1e25d31..9e78e1465a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -7,8 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft - -ms.date: 08/17/2017 --- # BitLocker recovery guide @@ -26,7 +24,7 @@ This article does not detail how to configure AD DS to store the BitLocker reco ## What is BitLocker recovery? -BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive: +BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: - The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). - A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. @@ -36,7 +34,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -245,7 +243,7 @@ This error might occur if you updated the firmware. As a best practice you shoul ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. ## Using additional recovery information diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png new file mode 100644 index 0000000000..9f9aea0f86 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg new file mode 100644 index 0000000000..f1c25c116c Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png new file mode 100644 index 0000000000..dfd30ba2a2 Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.png differ diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 3f71393153..529d064913 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 10/03/2018 +ms.date: 12/20/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -38,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks -Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping). -Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). +Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. +By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged. -The devices will continue to function normally if the user locks the screen or logs out of the system. +A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. +Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -65,11 +65,17 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required. -**To check if a device supports Kernel DMA Protection** +### Using Security Center + +Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. + +![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) + +### Using System information 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. 2. Check the value of **Kernel DMA Protection**. - ![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png) + ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) 3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO: - Reboot into BIOS settings - Turn on Intel Virtualization Technology. @@ -82,7 +88,7 @@ For systems that do not support Kernel DMA Protection, please refer to the [BitL ## Frequently asked questions ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. @@ -102,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. -### How can an enterprise enable the “External device enumeration” policy? -The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM): +### How can an enterprise enable the External device enumeration policy? +The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +The policy can be enabled by using: + - Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) +- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) ## Related topics diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 585264179f..cb56f52198 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.sitesec: library ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/13/2017 +ms.date: 11/16/2018 --- # Secure the Windows 10 boot process @@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to ## Summary Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. -For more information: - -- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/windows/jj737995.aspx) - ## Additional resources - [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc) diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index db918c0ba6..6f31a72d96 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -31,7 +31,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m **TPM 2.0** -TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1. +TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607. diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 7fa22e10ce..36ab2dd427 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/16/2018 +ms.date: 11/29/2018 --- # TPM recommendations @@ -64,6 +64,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. +> [!NOTE] +> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. + ## Discrete, Integrated or Firmware TPM? There are three implementation options for TPMs: @@ -84,7 +87,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn91508.aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core @@ -101,7 +104,7 @@ The following table defines which Windows features require TPM support. | Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | |-------------------------|--------------|--------------------|--------------------|----------| | Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot | -| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required | +| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support | | Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. | | Windows Defender Application Control (Device Guard) | No | Yes | Yes | | | Windows Defender Exploit Guard | No | N/A | N/A | | @@ -113,6 +116,10 @@ The following table defines which Windows features require TPM support. | TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | | | Virtual Smart Card | Yes | Yes | Yes | | | Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. | +| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | +| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | +| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | + ## OEM Status on TPM 2.0 system availability and certified parts diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 1b4e9f6f6f..3d34861247 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms-author: v-anbic -ms.date: 08/21/2018 +ms.date: 11/29/2018 --- # Trusted Platform Module Technology Overview @@ -17,6 +17,7 @@ ms.date: 08/21/2018 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu ### Automatic initialization of the TPM with Windows 10 -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. @@ -69,18 +70,18 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). +> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | -|-------------|-------------|---------------------| -| TPM 1.2 | >= ver 1607 | >= ver 1607 | -| TPM 2.0 | X | X | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +|-------------|-------------|---------------------|---------------------| +| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | +| TPM 2.0 | Yes | Yes | Yes | ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 67d918b484..b1005f382d 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 10/12/2018 +ms.date: 11/28/2018 --- # How Windows Information Protection protects files with a sensitivity label @@ -27,13 +27,15 @@ Microsoft information protection technologies work together as an integrated sol Microsoft information protection technologies include: -- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use. +- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. - [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps. -- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: +- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - ![Sensitivity labels](images/sensitivity-labels.png) +End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: + +![Sensitivity labels](images/sensitivity-labels.png) ## Default WIP behaviors for a sensitivity label diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 9dce29791b..2c82639fdb 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -104,7 +104,7 @@ This table provides info about the most common problems you might encounter whil
    • SavedGames
    - WIP isn’t turned on for employees in your organization. + WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index b0cbdd55e6..e160720d9f 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -22,8 +22,8 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI ## In this section |Topic |Description | |------|------------| -|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | -|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| +|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| |[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | -|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | \ No newline at end of file +|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index ed41a8ef23..49ed1d9865 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 11/06/2018 +ms.date: 02/11/2019 ms.localizationpriority: medium --- @@ -24,9 +24,12 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. +>[!IMPORTANT] +>While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. + ## Video: Protect enterprise data from being accidentally copied to the wrong place -> [!Video https://www.youtube.com/embed/1s09SrwxccM] +> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh] ## Prerequisites You’ll need this software to run WIP in your enterprise: @@ -73,28 +76,28 @@ WIP provides: - Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. ## Why use WIP? -WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). +WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). -- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. - **Manage your enterprise documents, apps, and encryption modes.** - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. + - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. - You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. + You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list. - - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. - - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your allowed apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. + - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. @@ -120,14 +123,14 @@ WIP currently addresses these enterprise scenarios: - You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. -- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data. +- You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data. - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. ### WIP-protection modes Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. -Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. +Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index e352e66a52..ea566d653b 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 10/18/2018 +ms.date: 02/11/2019 ms.localizationpriority: medium --- @@ -33,6 +33,9 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc |Visual Studio Online |contoso.visualstudio.com | |Power BI |contoso.powerbi.com | +>[!NOTE] +>You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both. + ## Recommended Neutral Resources We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
      diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 0d85fb8053..49ceafd5b2 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 05/30/2018 +ms.date: 02/07/2019 ms.localizationpriority: medium --- @@ -25,7 +25,7 @@ Because Outlook on the web can be used both personally and as part of your organ |-------|-------------| |Disable Outlook on the web. Employees can only use Microsoft Outlook 2016 or the Mail for Windows 10 app. | Disabled. | |Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into Outlook on the web receive prompts and that files downloaded from Outlook on the web aren't automatically protected as corporate data. | -|Add outlook.office.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | +|Add outlook.office.com and outlook.office365.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | >[!NOTE] >These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index a328d38a24..7bd8b0766d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -6,7 +6,8 @@ #### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md) ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) -###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md) +####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) +###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) ##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) @@ -23,6 +24,7 @@ ###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) + ##### Alerts queue ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) @@ -80,82 +82,17 @@ ##### [Custom detections](windows-defender-atp/overview-custom-detections.md) ###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md) + #### [Management and APIs](windows-defender-atp/management-apis.md) ##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) -######Actor -####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) -####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -######Alerts -####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) -####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -######Domain -####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -######File -####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) -####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) -####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) -####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) -####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) - -######IP -####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) -####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) -######Machines -####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) -####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) -####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) -####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) -####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) -####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) -####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) -######Machines Security States -####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) -######Machine Groups -####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md) - -######User -####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) -####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) - -######Windows updates (KB) info -####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) -######Common Vulnerabilities and Exposures (CVE) to KB map -####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) - +##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md) ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md) ##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) ##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md) +##### [Information protection in Windows overview](windows-defender-atp/information-protection-in-windows-overview.md) @@ -185,13 +122,17 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) -##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md) +####Hardware-based isolation +##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) +##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) ###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) -##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +##### Device control +###### [Control USB devices](device-control/control-usb-devices-using-intune.md) +###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) +######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) ###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) @@ -290,6 +231,153 @@ ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md) +###### Create your app +####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md) +####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md) +###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md) +####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md) + +####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) +######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md) +######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +####### Domain +######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md) +######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md) +######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +####### IP +######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) +######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + + +####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) +######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) +######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) + +####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) +######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + + +###### How to use APIs - Samples +####### Advanced Hunting API +######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md) +######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md) +######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md) +######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md) +####### Multiple APIs +######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md) +####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md) + +##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) +#######Actor (deprecated) +######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) +######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +#######Alerts (deprecated) +######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) +######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +#######Domain (deprecated) +######## [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +#######File(deprecated) +######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) +######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) +######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) +######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) +######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) + +#######IP (deprecated) +######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) +######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) +#######Machines (deprecated) +######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) +######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) +######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) +######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) +######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) +######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) +######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) +######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +#######User (deprecated) +######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) +######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) + + +#####Windows updates (KB) info +###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +#####Common Vulnerabilities and Exposures (CVE) to KB map +###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) + + + + + + + + + ##### API for custom alerts ###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) ###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) @@ -326,6 +414,7 @@ #### Configure Microsoft threat protection integration ##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) ##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md) +##### [Configure information protection in Windows](windows-defender-atp/information-protection-in-windows-config.md) diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index e31ecb598c..baac7dff4d 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 12/20/2018 --- # 4672(S): Special privileges assigned to new logon. @@ -18,7 +18,7 @@ ms.date: 04/19/2017 Event 4672 illustration - +
      ***Subcategory:*** [Audit Special Logon](audit-special-logon.md) ***Event Description:*** @@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | | SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
      With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
      This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
      READ\_CONTROL
      ACCESS\_SYSTEM\_SECURITY
      FILE\_GENERIC\_READ
      FILE\_TRAVERSE | | SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
      When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
      With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
      With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | | SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
      With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
      The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | | SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | | SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
      With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index b0f14b177b..55ce54d4ee 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. @@ -15,6 +14,8 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2012 R2 +- Windows Server 2012 Event 5031 illustration diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md new file mode 100644 index 0000000000..d61268d81f --- /dev/null +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -0,0 +1,186 @@ +--- +title: How to control USB devices and other removable media using Intune (Windows 10) +description: You can configure Intune settings to reduce threats from removable storage such as USB devices. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +ms.author: justinha +author: justinha +ms.date: 02/06/2019 +--- + +# How to control USB devices and other removable media using Windows Defender ATP + +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Windows Defender ATP provides multiple monitoring and control features for USB peripherals to help prevent threats in unauthorized peripherals from compromising your devices: + +1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: + - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. + - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. + - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. + +2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) + - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: + - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. + - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. + +>[!NOTE] +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. + +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +## Prevent threats from removable storage + +Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals. + +### Enable Windows Defender Antivirus Scanning + +Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. + +- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. + +>[!NOTE] +>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**. + + + +### Block untrusted and unsigned processes on USB peripherals + +End-users might plug in removable devices that are infected with malware. +To prevent infections, a company can block USB files that are unsigned or untrusted. +Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. +This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. +With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. +Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. + +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 or later + - Profile type: Endpoint protection + + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + +4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. + +5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. + + ![Block untrusted processes](images/block-untrusted-processes.png) + +6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. + +7. Click **Create** to save the profile. + +### Protect against Direct Memory Access (DMA) attacks + +DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks: + +1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. + + Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + + Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can: + + - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) + - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) + + +## Detect plug and play connected events + +You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +## Respond to threats + +Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. + +>[!Note] +>Always test and refine these settings with a pilot group of users and devices first before applying them in production. + +The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +| Control | Description | +|----------|-------------| +| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | +| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | +| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | + +>[!Note] +>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. + +### Block installation and usage of removable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 and later + - Profile type: Device restrictions + + ![Create profile](images/create-profile.png) + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. + + ![General settings](images/general-settings.png) + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +### Only allow installation and usage of specifically approved peripherals + +Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation). +For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0". + +![Custom profile](images/custom-profile-allow-device-ids.png) + +Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). +Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). + +### Prevent installation of specifically prohibited peripherals + +Windows Defender ATP also blocks installation and usage of prohibited peripherals either by using **Administrative Templates** or [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. + +For more information about using **Administrative Templates**, see [Windows 10 templates to configure Group Policy settings in Microsoft Intune](https://docs.microsoft.com/intune/administrative-templates-windows). + +For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). + +## Related topics + +- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) +- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) +- [Perform a custom scan of a removable device](https://aka.ms/scanusb) +- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) + + + diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png new file mode 100644 index 0000000000..3080e0d1f0 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png new file mode 100644 index 0000000000..6951e4ed5a Binary files /dev/null and b/windows/security/threat-protection/device-control/images/class-guids.png differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png new file mode 100644 index 0000000000..9d295dfa6b Binary files /dev/null and b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png new file mode 100644 index 0000000000..1b6d4aa708 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png new file mode 100644 index 0000000000..eaba30b27f Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png new file mode 100644 index 0000000000..ada168228e Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png new file mode 100644 index 0000000000..95ac48ec54 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png new file mode 100644 index 0000000000..44be977537 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png new file mode 100644 index 0000000000..cf8399acf4 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png new file mode 100644 index 0000000000..152822dc29 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/general-settings.png differ diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png new file mode 100644 index 0000000000..9017f289f6 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/hardware-ids.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index a83dc7afac..028116204e 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -63,8 +63,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
      -Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
      +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index db9e975f40..1bea408ef2 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -36,7 +36,7 @@ ## [Safety Scanner download](safety-scanner-download.md) -## [Industry antivirus tests](top-scoring-industry-antivirus-tests.md) +## [Industry tests](top-scoring-industry-antivirus-tests.md) ## [Industry collaboration programs](cybersecurity-industry-partners.md) diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md index e74b6ea5f4..acafa8b532 100644 --- a/windows/security/threat-protection/intelligence/coinminer-malware.md +++ b/windows/security/threat-protection/intelligence/coinminer-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Coin miners diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index b33d8c80f8..8c2b11944e 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 07/12/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Coordinated Malware Eradication diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 338810c3c0..c0a0e11884 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/01/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # How Microsoft identifies malware and potentially unwanted applications @@ -145,7 +148,7 @@ Advertisements shown to you must: #### Consumer opinion -Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates definitions for software that meets the described criteria. These definitions identify the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. +Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. ## Potentially unwanted application (PUA) diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 8a1c4b9338..37903b6e79 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 07/12/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual --- # Industry collaboration programs diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index e6979a1851..a2bbd64cbe 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -10,7 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Software developer FAQ @@ -18,24 +21,29 @@ ms.date: 07/01/2018 This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide. ## Does Microsoft accept files for a known list or false-positive prevention program? + No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers. ## How do I dispute the detection of my program? -Submit the file in question as a software developer. Wait until your submission has a final determination. + +Submit the file in question as a software developer. Wait until your submission has a final determination. If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary. We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software. ## Why is Microsoft asking for a copy of my program? + This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. ## Why does Microsoft classify my installer as a software bundler? + It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted. ## Why is the Windows Firewall blocking my program? + This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. +This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md index 43c679345e..64dc28a46a 100644 --- a/windows/security/threat-protection/intelligence/developer-info.md +++ b/windows/security/threat-protection/intelligence/developer-info.md @@ -10,16 +10,21 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/13/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Information for developers + Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions. -## In this section -Topic | Description +## In this section + +Topic | Description :---|:--- [Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers. -[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest definitions and cloud protection from Microsoft. +[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest Security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index def783966f..49f709ec74 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -1,16 +1,19 @@ --- title: Software developer resources -description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against definitions. -keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection +description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against Security intelligence. +keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection, security intelligence search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.localizationpriority: medium ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: medium -ms.date: 07/13/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Software developer resources @@ -19,7 +22,9 @@ Concerned about the detection of your software? If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis. Check out the following resources for information on how to submit and view submissions: + - [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission) + - [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory) ## Additional resources @@ -34,4 +39,4 @@ Find more guidance about the file submission and detection dispute process in ou ### Scan your software -Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest definitions and cloud protection from Microsoft. +Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index 460e31a545..9a519a1f3d 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Exploits and exploit kits @@ -26,7 +29,7 @@ The infographic below shows how an exploit kit might attempt to exploit a device ![example of how exploit kits work](./images/ExploitKit.png) -*Example of how exploit kits work* +*Figure 1. Example of how exploit kits work* Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware. diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 435ac333f9..51d21fcd0c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -6,12 +6,15 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: eravena -author: eavena -ms.date: 09/14/2018 +ms.author: ellevin +author: levinec +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- -#Fileless threats +# Fileless threats What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. @@ -24,50 +27,50 @@ To shed light on this loaded term, we grouped fileless threats into different ca We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. -Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. +Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. -From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines. +From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines. -##Type I: No file activity performed +## Type I: No file activity performed -A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. +A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks. -##Type II: Indirect file activity +## Type II: Indirect file activity -There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. +There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed. -##Type III: Files required to operate +## Type III: Files required to operate Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. ![Image of Kovter's registry key](images/kovter-reg-key.png)
      *Figure 2. Kovter’s registry key* -When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. +When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present. -##Categorizing fileless threats by infection host +## Categorizing fileless threats by infection host Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race. -###Exploits +### Exploits **File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file. **Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. -###Hardware +### Hardware **Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/). @@ -79,7 +82,7 @@ Having described the broad categories, we can now dig into the details and provi **Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date. -###Execution and injection +### Execution and injection **File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes. @@ -89,8 +92,8 @@ Having described the broad categories, we can now dig into the details and provi **Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it. -##Defeating fileless malware +## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware.png deleted file mode 100644 index 8d93b4ed9d..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/PrevalentMalware.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware18.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware18.png new file mode 100644 index 0000000000..b3a4456f19 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/PrevalentMalware18.png differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld.png b/windows/security/threat-protection/intelligence/images/RealWorld.png deleted file mode 100644 index 82b7983c38..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/RealWorld.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld18.png b/windows/security/threat-protection/intelligence/images/RealWorld18.png new file mode 100644 index 0000000000..2961cbb6b2 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/RealWorld18.png differ diff --git a/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png b/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png deleted file mode 100644 index d7d3835e87..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/av-test-logo.png b/windows/security/threat-protection/intelligence/images/av-test-logo.png deleted file mode 100644 index cc8704dc7f..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/av-test-logo.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/se-labs.png b/windows/security/threat-protection/intelligence/images/se-labs.png deleted file mode 100644 index 41bdc75e8a..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/se-labs.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/se-labs2.PNG b/windows/security/threat-protection/intelligence/images/se-labs2.PNG deleted file mode 100644 index 630109a897..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/se-labs2.PNG and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md index 1b234b902e..cde3c3a454 100644 --- a/windows/security/threat-protection/intelligence/index.md +++ b/windows/security/threat-protection/intelligence/index.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual --- # Security intelligence @@ -19,6 +22,6 @@ Here you will find information about different types of malware, safety tips on * [Submit files for analysis](submission-guide.md) * [Safety Scanner download](safety-scanner-download.md) -Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. +Keep up with the latest malware news and research. Check out our [Windows security blogs](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. Learn more about [Windows security](https://docs.microsoft.com/windows/security/index). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 1feeecd262..f58b40e4bf 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Macro malware diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 2dd0229441..c2073434a4 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Malware names diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index bc99e5240b..31666e81cb 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Phishing diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 4340c81fde..6826c7b1af 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -8,14 +8,15 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Prevent malware infection Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts. -You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you. - ## Keep software up-to-date [Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore. @@ -28,7 +29,7 @@ Email and other messaging tools are a few of the most common ways your device ca * Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering. -For more information, see [Phishing](phishing.md). +For more information, see [phishing](phishing.md). ## Watch out for malicious or compromised websites @@ -50,7 +51,7 @@ Using pirated content is not only illegal, it can also expose your device to mal Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported. -To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed. +To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed. ## Don't attach unfamiliar removable drives @@ -94,7 +95,7 @@ Microsoft provides comprehensive security capabilities that help protect against * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. -* [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product. +* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product. * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data. @@ -114,4 +115,4 @@ Microsoft provides comprehensive security capabilities that help protect against Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects. -In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). \ No newline at end of file +In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 3441ceb6d7..5e39af26b7 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Ransomware diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index cf0bc0334f..7f3d5bf8b2 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Rootkits @@ -50,7 +53,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment. -[Windows Defender Offline](https://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. +[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity. diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 5dc552c190..b122b4f14c 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -6,16 +6,20 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: dansimp -author: dansimp -ms.date: 08/01/2018 +ms.author: ellevin +author: levinec +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Microsoft Safety Scanner + Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. -- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733) +- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733) -- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732) +- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. @@ -37,9 +41,9 @@ For more information about the Safety Scanner, see the support article on [how t ## Related resources -- [Troubleshooting Safety Scanner](https://support.microsoft.com/kb/2520970) -- [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender) +- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner) +- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) -- [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection) -- [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission) -- [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products) \ No newline at end of file +- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) +- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) +- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index 49259aa858..5ef22fbc0b 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -1,14 +1,17 @@ --- title: How Microsoft identifies malware and potentially unwanted applications description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections. -keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI +keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/01/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Submit files for analysis diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 340a2bf9f0..82d2b453d7 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 098be59223..461a852aa9 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Tech support scams @@ -60,4 +63,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an **www.microsoft.com/reportascam** -You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality. +You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality. diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index 43bef2e93e..db3886f938 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,102 +1,117 @@ --- -title: Top scoring in industry antivirus tests -description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: security, malware, av-comparatives, av-test, av, antivirus +title: Top scoring in industry tests +description: Windows Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. +keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores, endpoint detection and response, next generation protection, MITRE, WDATP ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 09/05/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- -# Top scoring in industry antivirus tests +# Top scoring in industry tests -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** in independent tests, displaying how it is a top choice in the antivirus market. +Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. -We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections. +## Endpoint detection & response -In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. +Windows Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. -> [!TIP] -> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports). +### MITRE: Industry-leading optics and detection capabilities -



      -![AV-TEST logo](./images/av-test-logo.png) +MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics. -## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test +- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://attackevals.mitre.org/) | [Analysis](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) + + Windows Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. + +## Next generation protection + +[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security protections. + +Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Window Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. + +### AV-TEST: Protection score of 6.0/6.0 in the latest test The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). -### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) **Latest** +- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) **Latest** - Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 14 of the 16 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples. -### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) +- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) - Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of 21,568 tested malware samples. -### March-April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) +- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) - Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. -### January-February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports) +- May - June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) -Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested. + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. + +- March - April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) + + Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). + +- January - February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports) + + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested. ||| |---|---| -|![Graph describing Real-World detection rate](./images/RealWorld.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware.png)| -

      +|![Graph describing Real-World detection rate](./images/RealWorld18.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware18.png)| -![AV-Comparatives Logo](./images/av-comparatives-logo-3.png) - -## AV-Comparatives: Protection rating of 99.8% in the latest test +### AV-Comparatives: Protection rating of 99.6% in the latest test AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. -### Real-World Protection Test August - September (Enterprise): [Protection Rate 99.8%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-september-2018-testresult/) **Latest** +- Real-World Protection Test Enterprise August - November 2018: [Protection Rate 99.6%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-november-2018-testresult/) **Latest** -This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. -The test set contained 599 test cases (such as malicious URLs). + This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. The test set contained 1207 test cases (such as malicious URLs). -### Malware Protection Test August 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/) +- Malware Protection Test Enterprise August 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/) -This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples. + This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples. -### Real-World Protection Test March - June (Enterprise): [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/) +- Real-World Protection Test Enterprise March - June 2018: [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/) -The test set contained 1,163 test cases (such as malicious URLs). + The test set contained 1,163 test cases (such as malicious URLs). -### Malware Protection Test March 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) +- Malware Protection Test Enterprise March 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) -For this test, 1,470 recent malware samples were used. + For this test, 1,470 recent malware samples were used. [Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/) -

      -

      -![SE Labs Logo](./images/se-labs2.png) - -## SE Labs: Total accuracy rating of AAA in the latest test +### SE Labs: Total accuracy rating of AAA in the latest test SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. -### Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf** +- Enterprise Endpoint Protection October - December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** -Microsoft's next-gen protection was named as one of the most effective products, stopping all public and targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate apps and websites correctly. + Microsoft's next-gen protection was named as one of the leading products, stopping all of the public and targeted attacks. -### Enterprise Endpoint Protection April - June 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/apr-jun-2018-enterprise.pdf) **pdf** +- Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf** -Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted attacks and the vast majority of public threats. + Microsoft's next-gen protection was named as one of the most effective products, stopping all public and targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate apps and websites correctly. + +- Enterprise Endpoint Protection April - June 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/apr-jun-2018-enterprise.pdf) **pdf** + + Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted attacks and the vast majority of public threats. ## To what extent are tests representative of protection in the real world? -It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the antivirus evaluations highlighted above. Windows Defender Antivirus encounters ~200 million samples every month, and the typical antivirus test consists of between 100-5,000 samples. The vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. +It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. -The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests. These technologies address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Windows Defender ATP components [catch samples that Windows Defender Antivirus missed](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. +The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. -Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). +Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). ![ATP](./images/wdatp-pillars2.png) diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index 47a21f4308..0494fb62b7 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Trojans @@ -37,6 +40,6 @@ Use the following free Microsoft software to detect and remove it: - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. -- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) +- [Microsoft Safety Scanner](safety-scanner-download.md) For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index 2f819e06b0..afe18b8e94 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -1,6 +1,6 @@ --- title: Understanding malware & other threats -description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them. +description: Learn about the most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them. keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi ms.prod: w10 ms.mktglfcycl: secure @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual --- # Understanding malware & other threats @@ -16,7 +19,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index 1bd6897c42..bea8e40fca 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Unwanted software @@ -30,7 +33,7 @@ Here are some indications of unwanted software: Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser. -Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software. +Microsoft uses an extensive [evaluation criteria](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria) to identify unwanted software. ## How to protect against unwanted software @@ -57,4 +60,4 @@ If you only recently noticed symptoms of unwanted software infection, consider s You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome. -In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). +In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index 7ce546eeed..b7d6bd79e6 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 07/12/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Virus Information Alliance @@ -46,4 +49,4 @@ To be eligible for VIA your organization must: 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index eeea702caa..f87f26230b 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 07/12/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Microsoft Virus Initiative @@ -34,7 +37,7 @@ Your organization must meet the following eligibility requirements to participat 1. Offer an antimalware or antivirus product that is one of the following: * Your organization's own creation. - * Licensed from another organization, but your organization adds value such as additional definitions to its signatures. + * Licensed from another organization, but your organization adds value such as additional Security intelligence. * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions). 2. Have your own malware research team unless you distribute a Whitebox product. @@ -54,4 +57,4 @@ Your organization must meet the following eligibility requirements to participat ### Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index b76c90029c..0916baf125 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -8,7 +8,10 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 08/17/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Worms @@ -25,7 +28,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. -* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. +* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. @@ -45,4 +48,4 @@ Download [Microsoft Security Essentials](https://www.microsoft.com/download/deta In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 5388ad4fd7..5afa6d82b1 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: sagaudre author: brianlic-msft -ms.date: 06/25/2018 +ms.date: 11/26/2018 --- # Microsoft Security Compliance Toolkit 1.0 @@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1703 (Creators Update) @@ -30,6 +31,7 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1507 - Windows Server security baselines + - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 5b63d093b8..d5b8c58676 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic | Server type or GPO | Default value | | - | - | | Default Domain Policy | Not defined -| Default Domain Controler Policy | Not defined +| Default Domain Controller Policy | Not defined | Stand-Alone Server Default Settings | Disabled | DC Effective Default Settings | Disabled | Member Server Effective Default Settings | Disabled diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md new file mode 100644 index 0000000000..f8676a335b --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md @@ -0,0 +1,8 @@ +--- +author: jasongerend +ms.author: jgerend +ms.date: 1/4/2019 +ms.topic: include +ms.prod: w10 +--- +Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 6028668431..0c05506d7b 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: brianlic-msft -ms.date: 04/19/2017 +author: justinha +ms.date: 11/13/2018 --- # Minimum password age @@ -20,7 +20,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. +The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. ### Possible values @@ -29,9 +29,16 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended. +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day. -If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. +Setting the number of days to 0 allows immediate password changes, which is not recommended. +Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. +For example, suppose a password is "Ra1ny day!" and the history requirement is 24. +If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!". +The minimum password age of 1 day prevents that. + +If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. +Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. ### Location @@ -70,11 +77,11 @@ To address password reuse, you must use a combination of security settings. Usin ### Countermeasure -Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. +Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. ### Potential impact -If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. +If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index 988d211159..78a93d1dc7 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (always) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 16cffebd8d..74f1f7f04d 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) @@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index 8e2cdd2740..9661827e2a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/201 +ms.date: 01/04/2019 --- # SMB v1 Microsoft network server: Digitally sign communications (always) @@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 654a737d1a..7443f0f9de 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index bba7a2624e..ae91d8d14b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 08/29/2017 +ms.date: 11/16/2018 --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing @@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP ### Best practices -- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS. +There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/). ### Location diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index cad1984faf..52f53a81bb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool @@ -37,16 +37,21 @@ MpCmdRun.exe [command] [-options] Command | Description :---|:--- -\- ? **or** -h | Displays all available options for the tool -\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software -\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing -\-GetFiles | Collects support information -\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures -\-AddDynamicSignature [-Path] | Loads a dynamic signature -\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures -\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature -\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md) -\-SignatureUpdate [-UNC [-Path ]] | Checks for new definition updates +\-? **or** -h | Displays all available options​ for this tool​ +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]]​ [-Timeout ]​ [-Cancel]​ | Scans for malicious software​ +\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing​ +\-GetFiles | Collects support information​ +\-GetFilesDiagTrack | Same as Getfiles but outputs to​ temporary DiagTrack folder​ +\-RemoveDefinitions [-All] | Restores the installed​ Security intelligence to a previous backup copy or to​ the original default set +\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically​ downloaded Security intelligence ​ +\-RemoveDefinitions [-Engine] | Restores the previous installed engine +\-SignatureUpdate [-UNC \| -MMPC] | Checks for new Security intelligence updates​ +\-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or list​s quarantined item(s)​ +\-AddDynamicSignature [-Path] | Loads dynamic Security intelligence ​ +\-ListAllDynamicSignatures | Lists the loaded dynamic Security intelligence ​ +\-RemoveDynamicSignature [-SignatureSetID] | Removes dynamic Security intelligence ​ +\-CheckExclusion -path | Checks whether a path is excluded + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 8292217735..a9db1100c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and validate exclusions based on file extension and folder location @@ -264,7 +264,7 @@ The following table describes how the wildcards can be used and provides some ex ## Review the list of exclusions -You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). >[!IMPORTANT] >Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). @@ -276,7 +276,18 @@ If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -290,7 +301,7 @@ In the following example, the items contained in the `ExclusionExtension` list a See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 922fb0f10d..0cb2288b2e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -38,7 +38,7 @@ See the Enterprise Mobility and Security blog post [Important changes to Microso The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network. >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. @@ -70,7 +70,7 @@ The following table lists the services and their associated URLs that your netwo Microsoft Update Service (MU) -Signature and product updates +Security intelligence and product updates *.update.microsoft.com @@ -78,10 +78,10 @@ Signature and product updates - Definition updates alternate download location (ADL) + Security intelligence updates alternate download location (ADL) - Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind) + Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence falls out of date (7 or more days behind) *.download.microsoft.com diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 320078778c..40785cfdec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure exclusions for files opened by processes @@ -147,14 +147,26 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -164,7 +176,7 @@ Get-MpPreference See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index 801b935d4e..e063f1fda5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 11/13/2018 --- # Enable and configure antivirus always-on protection and monitoring @@ -42,7 +42,7 @@ Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled -Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled +Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index d7c05e739f..c075da4014 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -38,7 +38,7 @@ Windows Defender Antivirus uses the Deployment Image Servicing and Management (D ## Opt out of automatic exclusions -In Windows Server 2016, the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in definition updates. +In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence updates. > [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 38147632bc..d142dad965 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -78,5 +78,5 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by Topic | Description ---|--- [Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects. -[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI. +[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI. [Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 781b5ba5d5..d4182f5a74 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -116,7 +116,7 @@ How you manage your VDI will affect the performance impact of Windows Defender A Because Windows Defender Antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. -Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb). +Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing Security intelligence set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full Security intelligence download (which can average around 150 mb). ### Manage updates for persistent VDIs @@ -160,7 +160,7 @@ These settings can be configured as part of creating your base image, or as a da ### Randomize scheduled scans -Windows Defender Antivirus supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). +Windows Defender Antivirus supports the randomization of scheduled scans and Security intelligence updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). @@ -178,7 +178,7 @@ The start time of the scan itself is still based on the scheduled scan policy 4. Expand the tree to **Windows components > Windows Defender** and configure the following setting: - - Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm. + - Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the Security intelligence update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm. **Use Configuration Manager to randomize scheduled scans:** @@ -245,7 +245,7 @@ Sometimes, Windows Defender Antivirus notifications may be sent to or persist ac This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). >[!IMPORTANT] ->Running scans after an update will help ensure your VMs are protected with the latest definition updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. +>Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. **Use Group Policy to disable scans after an update:** @@ -265,7 +265,7 @@ This setting will prevent a scan from occurring after receiving an update. You c 2. Go to the **Scheduled scans** section and configure the following setting: -3. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update. +3. Set **Check for the latest Security intelligence updates before running a scan** to **No**. This prevents a scan after an update. 4. Click **OK**. @@ -301,11 +301,10 @@ This setting will help ensure protection for a VM that has been offline for some ### Exclusions On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: -- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender) +- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus) ## Additional resources - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) -- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index bc76dcf3d8..5d2d921020 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -21,7 +21,7 @@ ms.date: 09/03/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 7639c8e05b..b79024274c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -95,11 +95,11 @@ You can also specify the number of days after which Windows Defender Antivirus p 5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: - 1. Double-click the **Define the number of days before spyware definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware definitions as out-of-date. + 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware Security intelligence to be out-of-date. 2. Click **OK**. - 3. Double-click the **Define the number of days before virus definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus and other threat definitions as out-of-date. + 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus Security intelligence to be out-of-date. 4. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 24e05dd41a..9f27cec145 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -42,7 +42,7 @@ You can use the following sources: - [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx) - System Center Configuration Manager - A network file share -- The [Microsoft Malware Protection Center definitions page (MMPC)](https://www.microsoft.com/security/portal/definitions/adl.aspx) +- The [Microsoft Malware Protection Center Security intelligence page (MMPC)](https://www.microsoft.com/security/portal/definitions/adl.aspx) When updates are published, some logic will be applied to minimize the size of the update. In most cases, only the "delta" (or the differences between the latest update and the update that is currently installed on the endpoint) will be downloaded and applied. However, the size of the delta depends on: @@ -108,7 +108,7 @@ The procedures in this article first describe how to set the order, and then how **Use Configuration Manager to manage the update location:** -See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). **Use PowerShell cmdlets to manage the update location:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index c1d9aad15b..c43a3b2399 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -28,7 +28,7 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/it ## Protection updates -Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates". +Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as Security intelligence updates. The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index 4ea81cd37f..b62b1c4182 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -25,7 +25,7 @@ Mobile devices and VMs may require additional configuration to ensure performanc There are two settings that are particularly useful for these devices: - Opt-in to Microsoft Update on mobile computers without a WSUS connection -- Prevent definition updates when running on battery power +- Prevent Security intelligence updates when running on battery power The following topics may also be useful in these situations: - [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md) @@ -34,7 +34,7 @@ The following topics may also be useful in these situations: ## Opt-in to Microsoft Update on mobile computers without a WSUS connection -You can use Microsoft Update to keep definitions on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. +You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. @@ -69,7 +69,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following 2. Click **Advanced** options. 3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. -## Prevent definition updates when running on battery power +## Prevent Security intelligence updates when running on battery power You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. diff --git a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md index d86f08369c..8c12b9ff9d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md +++ b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md @@ -18,7 +18,7 @@ ### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) #### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md) ### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -#### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +#### [Manage protection and Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) #### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) #### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) #### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 569d88a51c..10d6f5bedc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 11/16/2018 --- # Restore quarantined files in Windows Defender AV @@ -25,7 +25,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y 1. Open **Windows Security**. 2. Click **Virus & threat protection** and then click **Threat History**. 3. Under **Quarantined threats**, click **See full history**. -4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.) +4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index d62ac289fe..74b72c9ab1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure scheduled quick or full Windows Defender Antivirus scans @@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic: 6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. ## Quick scan versus full scan and custom scan @@ -66,6 +65,8 @@ A custom scan allows you to specify the files and folders to scan, such as a USB Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. +>[!NOTE] +>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time. **Use Group Policy to schedule scans:** @@ -219,7 +220,7 @@ You can force a scan to occur after every [protection update](manage-protection- Location | Setting | Description | Default setting (if not configured) ---|---|---|--- -Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled +Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index fe11787198..924c523815 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -23,7 +23,7 @@ ms.date: 09/03/2018 You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index 6581b10ed3..f1a344b3d2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -122,21 +122,21 @@ Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Signature updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Signature updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Signature updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) -Signature updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Signature updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Signature updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Signature updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) -Signature updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) +Security intelligence updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +Security intelligence updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +Security intelligence updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Security intelligence updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +Security intelligence updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Security intelligence updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Security intelligence updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 25ca31aa0a..73fca55e16 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Use PowerShell cmdlets to configure and run Windows Defender AV -description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender Antivirus. +description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Windows Defender Antivirus. keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index aebdd79b52..0d0f8bbae9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -26,7 +26,7 @@ To take advantage of the power and speed of these next-gen technologies, Windows >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: @@ -75,5 +75,5 @@ You can also [configure Windows Defender AV to automatically receive new protect [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy. +[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with System Center Configuration Manager and Group Policy. [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 97655419cf..c58bf2bb8a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -57,7 +57,7 @@ See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-ant This table indicates the functionality and features that are available in each state: -State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) +State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index e0ce8b36b5..2434b61627 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -33,7 +33,7 @@ This topic includes the following instructions for setting up and running Window - [Verify Windows Defender AV is running](#BKMK_DefRun) -- [Update antimalware definitions](#BKMK_UpdateDef) +- [Update antimalware Security intelligence](#BKMK_UpdateDef) - [Submit Samples](#BKMK_DefSamples) @@ -112,24 +112,24 @@ sc query Windefend The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`. -## Update antimalware definitions -In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender AV definitions are approved for the computers you manage. +## Update antimalware Security intelligence +In order to get updated antimalware Security intelligence , you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage. By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods: - **Windows Update** in Control Panel. - - **Install updates automatically** results in all updates being automatically installed, including Windows Defender definition updates. + - **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. - - **Download updates but let me choose whether to install them** allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed. + - **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. - **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** -- The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install definition updates. +- The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install Security intelligence updates. - - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates. + - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. - - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed. + - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. To ensure that protection from malware is maintained, we recommend that you enable the following services: @@ -144,13 +144,13 @@ The following table lists the services for Windows Defender and the dependent se |Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.| |Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.| |Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.| -|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates| +|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get Security intelligence updates and antimalware engine updates| ## Submit Samples -Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions. +Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index b705e33977..9c669d0de5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -48,7 +48,7 @@ Windows Defender Offline uses the most recent protection updates available on th > [!NOTE] > Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). -See the [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information. +See the [Manage Windows Defender Antivirus Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information. ## Usage scenarios diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index ca5529dfa1..6a03421f8d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -58,7 +58,7 @@ The following diagrams compare the location of settings and functions between th Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description ---|---|---|--- -1 | **Update** tab | **Protection updates** | Update the protection ("definition updates") +1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan @@ -90,7 +90,7 @@ This section describes how to perform some of the most common tasks when reviewi 3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. -![Definition version number information](images/defender/wdav-wdsc-defs.png) +![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) 4. Click **Check for updates** to download new protection updates (if there are any). diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 123f439d6f..8b71416a15 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -22,6 +22,7 @@ ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 689be7ba29..d85ed0d63b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -50,7 +50,7 @@ AppLocker helps administrators control how users can access and use files, such You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc). -### Administer Applocker using Group Policy +### Administer AppLocker using Group Policy You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index ce654afdd8..b5d1cd4483 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -65,7 +65,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin ``` -After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. > [!Note] > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md new file mode 100644 index 0000000000..b1018f5e79 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -0,0 +1,39 @@ +--- +title: Querying Application Control events centrally using Advanced hunting (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: mdsakibMSFT +ms.author: justinha +ms.date: 12/06/2018 +--- + +# Querying Application Control events centrally using Advanced hunting + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. +While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. + +In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. + +Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +This capability is supported beginning with Windows version 1607. + +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: + +``` +MiscEvents +| where EventTime > ago(7d) and +ActionType startswith "AppControl" +| summarize Machines=dcount(ComputerName) by ActionType +| order by Machines desc +``` + +The query results can be used for several important functions related to managing WDAC including: + +- Assessing the impact of deploying policies in audit mode + Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. +- Monitoring blocks from policies in enforced mode + Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 2c07c12e12..b5c590602d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jsuther1974 -ms.date: 05/03/2018 +ms.date: 01/08/2019 --- # Windows Defender Application Control @@ -17,6 +17,7 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 +- Windows Server 2019 With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. @@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements -WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016. +WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. +They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. +Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md new file mode 100644 index 0000000000..9e42b2b691 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-guard/TOC.md @@ -0,0 +1,7 @@ +# [Windows Defender Application Guard](wd-app-guard-overview.md) + +## [System requirements](reqs-wd-app-guard.md) +## [Install WDAG](install-wd-app-guard.md) +## [Configure WDAG policies](configure-wd-app-guard.md) +## [Test scenarios](test-scenarios-wd-app-guard.md) +## [FAQ](faq-wd-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index bcc683e524..1ec89ed28f 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/19/2017 +ms.date: 02/07/2019 --- # Prepare to install Windows Defender Application Guard @@ -26,7 +26,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio |Hardware|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

      **-AND-**

      One of the following virtualization extensions for VBS:

      VT-x (Intel)

      **-OR-**

      AMD-V| |Hardware memory|Microsoft requires a minimum of 8GB RAM| |Hard disk|5 GB free space, solid state disk (SSD) recommended| diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 511904d283..798a74c87b 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/16/2018 +ms.date: 01/16/2019 --- # Application Guard testing scenarios @@ -25,7 +25,7 @@ You can see how an employee would use standalone mode with Application Guard. **To test Application Guard in Standalone mode** -1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. +1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide. 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. -1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. +1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard) steps in this guide. 2. Restart the device and then start Microsoft Edge. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index b4f08ff71c..16fa6c33df 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -8,14 +8,14 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 09/07/2018 +ms.date: 11/27/2018 --- # Windows Defender Application Guard overview **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. +Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index f05f3f551f..d3ddc702eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -4,7 +4,8 @@ ### [Attack surface reduction](overview-attack-surface-reduction.md) #### [Hardware-based isolation](overview-hardware-based-isolation.md) ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) -##### [System isolation](how-hardware-based-containers-help-protect-windows.md) +###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md) +##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) @@ -16,7 +17,6 @@ #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) - #### [Incidents queue](incidents-queue.md) ##### [View and organize the Incidents queue](view-incidents-queue.md) ##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) @@ -84,86 +84,21 @@ ### [Management and APIs](management-apis.md) #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) -#####Actor -###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md) -###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -#####Alerts -###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md) -###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) - -#####Domain -###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md) -###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -#####File -###### [Block file API](block-file-windows-defender-advanced-threat-protection.md) -###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md) -###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md) -###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md) -###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md) - -#####IP -###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md) -###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md) -#####Machines -###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md) -###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md) -###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md) -###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md) -###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md) -###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md) -###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md) -#####Machines Security States -###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) -#####Machine Groups -###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md) -#####User -###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md) -###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md) -#####Windows updates (KB) info -###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md) -#####Common Vulnerabilities and Exposures (CVE) to KB map -###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) - - +#### [Windows Defender ATP APIs](apis-intro.md) #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) ### [Microsoft Threat Protection](threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) -#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md) +#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) +#### [Information protection in Windows overview](information-protection-in-windows-overview.md) ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) ## [Get started](get-started.md) +### [What's new in Windows Defender ATP](whats-new-in-windows-defender-atp.md) ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) ### [Preview features](preview-windows-defender-advanced-threat-protection.md) @@ -181,17 +116,21 @@ ##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) #### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md) +### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) ## [Configure and manage capabilities](onboard.md) ### [Configure attack surface reduction](configure-attack-surface-reduction.md) -#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md) +###Hardware-based isolation +#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) +#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md) ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) -#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) -###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +#### Device control +##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) +##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) +####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) ##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md) ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) @@ -199,7 +138,6 @@ #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) ##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md) #### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md) -##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md) #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) @@ -224,7 +162,7 @@ ##### [Report on antivirus protection](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) ###### [Troubleshoot antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md) ##### [Manage updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -###### [Manage protection and definition updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) +###### [Manage protection and Security intelligence updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) ###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) ###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) ###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) @@ -289,6 +227,160 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) + +#### [Use the Windows Defender ATP exposed APIs](use-apis.md) +##### Create your app +###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) +###### [Get access without a user](exposed-apis-create-app-webapp.md) +##### [Supported Windows Defender ATP APIs](exposed-apis-list.md) +###### [Advanced Hunting](run-advanced-query-api.md) + +###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) +####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md) +####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +###### Domain +####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +###### [File](files-windows-defender-advanced-threat-protection-new.md) +####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) +####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +###### IP +####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) +####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + +###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) +####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) +####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) +####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) +####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) + +###### [User](user-windows-defender-advanced-threat-protection-new.md) +####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + +##### How to use APIs - Samples +###### Advanced Hunting API +####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) +####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +####### [Advanced Hunting using Python](run-advanced-query-sample-python.md) +####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) +###### Multiple APIs +####### [PowerShell](exposed-apis-full-sample-powershell.md) +###### [Using OData Queries](exposed-apis-odata-samples.md) + +#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md) +##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md) +######Actor (deprecated) +####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md) +####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +######Alerts (deprecated) +####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md) +####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +######Domain (deprecated) +####### [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md) +####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +######File(deprecated) +####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md) +####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md) +####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md) +####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md) +####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md) + +######IP (deprecated) +####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md) +####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md) +######Machines (deprecated) +####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md) +####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md) +####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md) +####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md) +####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md) +####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md) +####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md) +####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +######User (deprecated) +####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md) +####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md) + + + + + + + + + + + + + + + + + + + + + + + #### API for custom alerts ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) @@ -322,7 +414,8 @@ ### Configure Microsoft Threat Protection integration #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) -#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md) +#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) +####[Configure information protection in Windows](information-protection-in-windows-config.md) ### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3735e259ac --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,114 @@ +--- +title: Add or Remove Machine Tags API +description: Use this API to Add or Remove machine tags. +keywords: apis, graph api, supported apis, tags, machine tags +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Add or Remove Machine Tags API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- Adds or remove tag to a specific machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/tags +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Value | String | The tag name. **Required**. +Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. + + +## Response +If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags +Content-type: application/json +{ + "Value" : "test Tag 2", + "Action": "Add" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} + +``` + +- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index b887fd19b7..c87fd3c401 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/28/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/16/2018 --- # Configure advanced features in Windows Defender ATP @@ -89,7 +93,7 @@ Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud A >[!NOTE] >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. -## Azure information protection +## Azure Information Protection Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index 046e911ac9..3589cf3196 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index dcda5f43d8..3fbf85c93e 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 06/01/2018 --- @@ -37,12 +41,12 @@ To effectively build queries that span multiple tables, you need to understand t | ActionType | string | Type of activity that triggered the event | | AdditionalFields | string | Additional information about the event in JSON array format | | AlertId | string | Unique identifier for the alert | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | | DefaultGateways | string | Default gateway addresses in JSON array format | -| DnsServers | string | DNS server addresses in JSON array format | +| DnsAddresses | string | DNS server addresses in JSON array format | | EventTime | datetime | Date and time when the event was recorded | -| EventType | string | Table where the record is stored | | FileName | string | Name of the file that the recorded action was applied to | | FileOriginIp | string | IP address where the file was downloaded from | | FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | @@ -61,7 +65,7 @@ To effectively build queries that span multiple tables, you need to understand t | InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | | InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | @@ -71,6 +75,7 @@ To effectively build queries that span multiple tables, you need to understand t | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | | LocalIP | string | IP address assigned to the local machine used during communication | | LocalPort | int | TCP port on the local machine used during communication | +| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. | | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | | LogonType | string | Type of logon session, specifically:

      - **Interactive** - User physically interacts with the machine using the local keyboard and screen

      - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

      - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

      - **Batch** - Session initiated by scheduled tasks

      - **Service** - Session initiated by services as they start
      @@ -81,7 +86,6 @@ To effectively build queries that span multiple tables, you need to understand t | NetworkAdapterName | string | Name of the network adapter | | NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). | | NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). | -| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format | | OSArchitecture | string | Architecture of the operating system running on the machine | | OSBuild | string | Build version of the operating system running on the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | @@ -94,7 +98,7 @@ To effectively build queries that span multiple tables, you need to understand t | ProcessId | int | Process ID (PID) of the newly created process | | ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log | +| Protocol | string | IP protocol used, whether TCP or UDP | | PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. | | RegistryKey | string | Registry key that the recorded action was applied to | | RegistryValueData | string | Data of the registry value that the recorded action was applied to | @@ -102,15 +106,17 @@ To effectively build queries that span multiple tables, you need to understand t | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | | RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | | RemoteIP | string | IP address that was being connected to | +| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | RemotePort | int | TCP port on the remote device that was being connected to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | -| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example:
      - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP)
      - VPN (PPTP, SSTP)
      - SSH
      **NOTE:** This field doesn’t provide full IP tunneling specifications. | +| Table | string | Table that contains the details of the event | +| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 316fdb9dd1..2665b31d0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 08/15/2018 --- @@ -59,21 +63,22 @@ To see a live example of these operators, run them as part of the **Get started* ## Access query language documentation -For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/). +For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language). ## Use exposed tables in Advanced hunting The following tables are exposed as part of Advanced hunting: -- **AlertEvents** - Stores alerts related information -- **MachineInfo** - Stores machines properties -- **ProcessCreationEvents** - Stores process creation events -- **NetworkCommunicationEvents** - Stores network communication events -- **FileCreationEvents** - Stores file creation, modification, and rename events -- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events -- **LogonEvents** - Stores login events -- **ImageLoadEvents** - Stores load dll events -- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others. +- **AlertEvents** - Alerts on Windows Defender Security Center +- **MachineInfo** - Machine information, including OS information +- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains +- **ProcessCreationEvents** - Process creation and related events +- **NetworkCommunicationEvents** - Network connection and related events +- **FileCreationEvents** - File creation, modification, and other file system events +- **RegistryEvents** - Creation and modification of registry entries +- **LogonEvents** - Login and other authentication events +- **ImageLoadEvents** - DLL loading events +- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts These tables include data from the last 30 days. @@ -137,8 +142,8 @@ The filter selections will resolve as an additional query term and the results w -## Public Advanced Hunting query GitHub repository -Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. +## Public Advanced hunting query GitHub repository +Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md index 6ffa18b0b6..cbe44720d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 182eacc7b7..850fea7739 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5043e422a5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,86 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Alert resource type +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Represents an alert entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object. +[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection. +[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). +[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert. +[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert. +[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). + + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | Alert ID. +incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. +assignedTo | String | Owner of the alert. +severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. +status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. +investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . +classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' . +detectionSource | string | Detection source. +threatFamilyName | string | Threat family. +title | string | Alert title. +description | String | Description of the threat, identified by the alert. +alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. +lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. +firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. +machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. + +# JSON representation +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index 421206a7f9..edd3eab3fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/16/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/windows-defender-atp/apis-intro.md new file mode 100644 index 0000000000..d1d2b0fceb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/apis-intro.md @@ -0,0 +1,61 @@ +--- +title: Windows Defender Advanced Threat Protection API overview +description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 09/03/2018 +--- + +# Windows Defender ATP API overview + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + + +As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up. + +## Delegated permissions, application permissions, and effective permissions + +Windows Defender ATP has two types of permissions: delegated permissions and application permissions. + +- **Delegated permissions**
      + Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent. +- **Application permissions**
      + Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator. + +Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP. + +- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles). + + For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine. + +- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization. + + +## Related topics +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) +- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 700bbaef2b..e6775508c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/28/2018 --- # Assign user access to Windows Defender Security Center @@ -31,7 +35,7 @@ Windows Defender ATP supports two ways to manage permissions: > [!NOTE] >If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: ->- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC. +>- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC. >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. >- After switching to RBAC, you will not be able to switch back to using basic permissions management. diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index f54267ebfe..76ba536762 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: lomayor author: lomayor ms.localizationpriority: medium -ms.date: 28/02/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/20/2018 --- # Experience Windows Defender ATP through simulated attacks @@ -25,6 +29,11 @@ ms.date: 28/02/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + + You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. ## Before you begin diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index e5750beb78..8968b3b2cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 12/04/2018 --- # Overview of Automated investigations @@ -31,6 +35,7 @@ Entities are the starting point for Automated investigations. When an alert cont >[!NOTE] >Currently, Automated investigation only supports Windows 10, version 1803 or later. +>Some investigation playbooks, like memory investigations, require Windows 10, version 1809 or later. The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 11611c7741..6317c4b3cb 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -11,7 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/13/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Use basic permissions to access the portal @@ -66,22 +69,8 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@C For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal +For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). -1. Go to the [Azure portal](https://portal.azure.com). - -2. Select **Azure Active Directory**. - -3. Select **Manage** > **Users and groups**. - -4. Select **Manage** > **All users**. - -5. Search or select the user you want to assign the role to. - -6. Select **Manage** > **Directory role**. - -7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. - - ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) ## Related topic - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index 16ae492cd3..08d856647a 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Block file API +# Block file API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Prevent a file from being executed in the organization using Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 4b525298cf..3571e067fc 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..70fb7fe34a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,102 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Collect investigation package API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Collect investigation package from a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' +Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +Content-type: application/json +{ + "Comment": "Collect forensics due to alert 1234" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": " Collect forensics due to alert 1234", + "status": "InProgress", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index f6394dc5a6..6260351a2c 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Collect investigation package API +# Collect investigation package API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Collect investigation package from a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index 4561797028..bbe7653865 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 4e24ca1381..70e3d006fa 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index b3d5cbfb91..852dfacc9f 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/16/2017 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/20/2018 --- # Configure HP ArcSight to pull Windows Defender ATP alerts @@ -51,10 +55,10 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight SmartConnector +## Install and configure HP ArcSight FlexConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). -1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.

      You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. +1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

      You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. 2. Follow the installation wizard through the following tasks: - Introduction @@ -66,7 +70,7 @@ The following steps assume that you have completed all the required steps in [Be You can keep the default values for each of these tasks or modify the selection to suit your requirements. -3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example: +3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example: - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\ diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md index 0c6419eb05..80f6666db3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 07/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md index 2c223e0718..b57e79e61b 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 94c5bfc2d5..d926b28800 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/08/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 9b791272a5..ad6b565b7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index e0c41580fa..7eb6e5ace0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/19/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/06/2018 --- # Onboard Windows 10 machines using Mobile Device Management tools @@ -34,27 +38,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D ## Onboard machines using Microsoft Intune +Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). + For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). -### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher - -1. Login to the [Microsoft Azure portal](https://portal.azure.com). - -2. Select **Device Configuration > Profiles > Create profile**. - -3. Enter a **Name** and **Description**. - -4. For **Platform**, select **Windows 10 and later**. - -5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**. - -6. Configure the settings: - - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service. - - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis. - - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently. - - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property. - -7. Select **OK**, and **Create** to save your changes, which creates the profile. > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 3702b187d3..541f53e85e 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -10,7 +10,10 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 10/03/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Onboard non-Windows machines @@ -33,11 +36,11 @@ You'll need to take the following steps to onboard non-Windows machines: 1. Turn on third-party integration 2. Run a detection test -### Turn on third-party integration +## Turn on third-party integration 1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed. -2. Select Mac and Linux as the operating system. +2. Select **Linux, macOS, iOS and Android** as the operating system. 3. Turn on the third-party solution integration. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 707a5887a8..4136a69a74 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/11/2018 --- # Onboard Windows 10 machines using System Center Configuration Manager diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 69bb28ccaa..e4df4b05b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITProarticle +ms.collection: M365-security-compliance +ms.topic: ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index caa1e6b2b4..8ee8615f84 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 8371836083..89b42c84ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 07/12/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md index cbff3e3945..785c598a10 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index c7d9e056c4..6c38860bcb 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/12/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 02/14/2019 --- @@ -85,7 +89,7 @@ netsh winhttp set proxy : For example: netsh winhttp set proxy 10.0.0.6:8080 ## Enable access to Windows Defender ATP service URLs in the proxy server -If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: +If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Windows Defender ATP service in port 80 and 443: >[!NOTE] > URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. @@ -98,7 +102,27 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com```
      ```uk-v20.events.dat United States | ```us.vortex-win.data.microsoft.com```
      ```us-v20.events.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com``` -If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. + +If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. + +## Windows Defender ATP service backend IP range +If you network devices don't support the URLs white-listed in the prior section, you can use the following information. + +Windows Defender ATP is built on Azure cloud, deployed in the following regions: + +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ + + +You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). + +>[!NOTE] +> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 32cc18106d..93dc8a9bec 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -10,7 +10,11 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 11/02/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/14/2018 --- # Onboard servers to the Windows Defender ATP service @@ -69,7 +73,7 @@ The following steps are required to enable this integration: 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. -2. Select Windows server 2012, 2012R2 and 2016 as the operating system. +2. Select Windows Server 2012R2 and 2016 as the operating system. 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. @@ -109,7 +113,15 @@ Agent Resource | Ports | winatp-gw-aue.microsoft.com |443 | ## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. + +Supported tools include: +- Local script +- Group Policy +- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 +- VDI onboarding scripts for non-persistent machines + + For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). @@ -189,7 +201,7 @@ To offboard the server, you can use either of the following methods: 1. Get your Workspace ID: a. In the navigation pane, select **Settings** > **Onboarding**. - b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID: + b. Select **Windows Server 2012R2 and 2016** as the operating system and get your Workspace ID: ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index e2c82a3cc0..b59c733f97 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/16/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index 09b8cf9087..2177e72018 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/16/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d20d381975 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,97 @@ +--- +title: Create alert from event API +description: Creates an alert using event details +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Create alert from event API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + +## Request body +In the request body, supply the following values (all are required): + +Property | Type | Description +:---|:---|:--- +machineId | String | Id of the machine on which the event was identified. **Required**. +severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. +title | String | Title for the alert. **Required**. +description | String | Description of the alert. **Required**. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. +reportId | String | The reportId, as obtained from the advanced query. **Required**. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. + + +## Response +If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +Content-Length: application/json + +{ + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "severity": "Low", + "title": "test alert", + "description": "test alert", + "recommendedAction": "test alert", + "eventTime": "2018-08-03T16:45:21.7115183Z", + "reportId": "20776", + "category": "None" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md index 60545d5706..3938e9b3f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/29/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 8bc7172555..14a91c2829 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- @@ -187,7 +191,6 @@ The API currently supports the following IOC types: - Sha1 - Sha256 - Md5 -- FileName - IpAddress - DomainName diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index 0232707da6..911625d579 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 04/24/2018 --- # Update data retention settings for Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index c2a6e3f9c3..92e081ea4a 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 420fba6b8f..61c31958f3 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 04/24/2018 --- @@ -31,7 +35,7 @@ The Windows Defender Advanced Threat Protection agent depends on Windows Defende >[!IMPORTANT] >Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. -You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e293b7a30d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,81 @@ +--- +title: Delete Ti Indicator. +description: Deletes Ti Indicator entity by ID. +keywords: apis, public api, supported apis, delete, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Delete TI Indicator API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a TI Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +Delete https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If TI Indicator exist and deleted successfully - 204 OK without content. +If TI Indicator with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +``` +DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 204 NO CONTENT + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/deprecate.md b/windows/security/threat-protection/windows-defender-atp/deprecate.md new file mode 100644 index 0000000000..fe73a4d416 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/deprecate.md @@ -0,0 +1,7 @@ +--- +ms.date: 10/17/2018 +--- +>[!WARNING] + + +> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index f13739ad9c..aca29a67c7 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index e88f1959d0..73b494e5e7 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index fbe3783a63..c8e00fbc8f 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/08/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/10/2018 --- # Enable SIEM integration in Windows Defender ATP @@ -20,20 +24,29 @@ ms.date: 10/08/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. +## Prerequisites +- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. +- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. + +## Enabling SIEM integration 1. In the navigation pane, select **Settings** > **SIEM**. - ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) + ![Image of SIEM integration from Settings menu](images/enable_siem.png) + + >[!TIP] + >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. - > [!WARNING] - >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
      - For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + > [!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
      + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + + ![Image of SIEM integration from Settings menu](images/siem_details.png) 3. Choose the SIEM type you use in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md index 3422e6cbff..1311f7c265 100644 --- a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 08/10/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index 7d43f2c2a2..af1f166fa2 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 05/21/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 8aeb2539ee..c41d6d1439 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 11/09/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md new file mode 100644 index 0000000000..9109892c6d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -0,0 +1,179 @@ +--- +title: Use Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/03/2018 +--- + +# Use Windows Defender ATP APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +[!include[Prerelease information](prerelease.md)] + + +This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user. + +If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md). + +If you are not sure which access you need, read the [Introduction page](apis-intro.md). + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +>[!NOTE] +> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission. +> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +>[!TIP] +> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/nativeapp-create.png) + + - **Name:** -Your app name- + - **Application type:** Native + - **Redirect URI:** `https://127.0.0.1` + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/nativeapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**. + + >[!IMPORTANT] + >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example. + + ![Image of select permissions](images/nativeapp-select-permissions.png) + + For instance, + + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + + To determine which permission you need, look at the **Permissions** section in the API you are interested to call. + + +7. Click **Done** + + ![Image of add permissions completion](images/nativeapp-add-permissions-end.png) + +8. Click **Grant permissions** + + In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button. + + If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +9. Write down your application ID. + + ![Image of app ID](images/nativeapp-get-appid.png) + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (pay attention to the comments in the code) + + ``` + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; + + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + + string username = "SecurityAdmin123@microsoft.com"; // Paste your username here + string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! + + UserPasswordCredential userCreds = new UserPasswordCredential(username, password); + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}"); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +## Validate the token + +Sanity check to make sure you got a correct token: +- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Validate you get a 'scp' claim with the desired app permissions +- In the screenshot below you can see a decoded token acquired from the app in the tutorial: + +![Image of token validation](images/nativeapp-decoded-token.png) + +## Use the token to access Windows Defender ATP API + +- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme) +- The Expiration time of the token is 1 hour (you can send more then one request with the same token) + +- Example of sending a request to get a list of alerts **using C#** + ``` + var httpClient = new HttpClient(); + + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + + var response = await httpClient.SendAsync(request).ConfigureAwait(false); + + // Do something useful with the response + ``` + +## Related topics +- [Windows Defender ATP APIs](apis-intro.md) +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md new file mode 100644 index 0000000000..a3afcae8bd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -0,0 +1,224 @@ +--- +title: Create an app to access Windows Defender ATP without a user +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/03/2018 +--- + +# Create an app to access Windows Defender ATP without a user + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +This page describes how to create an application to get programmatical access to Windows Defender ATP without a user. + +If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) + +If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md). + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/webapp-create.png) + + - **Name:** WdatpEcosystemPartner + - **Application type:** Web app / API + - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.) + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/webapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > **Run advanced queries** > **Select**. + + **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example! + + ![Image of select permissions](images/webapp-select-permission.png) + + For instance, + + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + + To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + +7. Click **Done** + + ![Image of add permissions completion](images/webapp-add-permission-end.png) + +8. Click **Grant permissions** + + In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button. + + If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +9. Click **Keys** and type a key name and click **Save**. + + **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave! + + ![Image of create app key](images/webapp-create-key.png) + +10. Write down your application ID. + + ![Image of app ID](images/webapp-get-appid.png) + +11. Set your application to be multi-tenanted + + This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant). + + This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​ + + Click **Properties** > **Yes** > **Save**. + + ![Image of multi tenant](images/webapp-edit-multitenant.png) + + +## Application consent +You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. + +You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. + +Consent link is of the form: + +``` +https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ +``` + +where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```) + + ``` + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! + + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); + ClientCredential clientCredential = new ClientCredential(appId, appSecret); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +### Using PowerShell + +Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token) + +### Using Python + +Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) + +### Using Curl + +> [!NOTE] +> The below procedure supposed Curl for Windows is already installed on your computer + +- Open a command window +- ​Set CLIENT_ID to your Azure application ID +- Set CLIENT_SECRET to your Azure application secret +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application +- Run the below command: + +``` +curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​ +``` + +You will get an answer of the form: + +``` +{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"} +``` + +## Validate the token + +Sanity check to make sure you got a correct token: +- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Validate you get a 'roles' claim with the desired permissions +- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles: + +![Image of token validation](images/webapp-decoded-token.png) + +## Use the token to access Windows Defender ATP API + +- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme) +- The Expiration time of the token is 1 hour (you can send more then one request with the same token) + +- Example of sending a request to get a list of alerts **using C#** + ``` + var httpClient = new HttpClient(); + + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + + var response = await httpClient.SendAsync(request).ConfigureAwait(false); + + // Do something useful with the response + ``` + +## Related topics +- [Windows Defender ATP APIs](apis-intro.md) +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md new file mode 100644 index 0000000000..b65c98cd30 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -0,0 +1,122 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/24/2018 +--- + +# Windows Defender ATP APIs using PowerShell +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Full scenario using multiple APIs from Windows Defender ATP. + +In this section we share PowerShell samples to + - Retrieve a token + - Use token to retrieve the latest alerts in Windows Defender ATP + - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. + +>**Prerequisite**: You first need to [create an app](apis-intro.md). + +## Preparation Instructions + +- Open a PowerShell window. +- If your policy does not allow you to run the PowerShell commands, you can run the below command: +``` +Set-ExecutionPolicy -ExecutionPolicy Bypass +``` + +>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) + +## Get token + +- Run the below + +> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +> - $appSecret: Secret of your AAD app +> - $suspiciousUrl: The URL + + +``` +$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here +$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here + +$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$aadToken = $authResponse.access_token + + +#Get latest alert +$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10" +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $aadToken" +} +$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop +$alerts = ($alertResponse | ConvertFrom-Json).value + +$machinesToInvestigate = New-Object System.Collections.ArrayList + +Foreach($alert in $alerts) +{ + #echo $alert.id $alert.machineId $alert.severity $alert.status + + $isSevereAlert = $alert.severity -in 'Medium', 'High' + $isOpenAlert = $alert.status -in 'InProgress', 'New' + if($isOpenAlert -and $isSevereAlert) + { + if (-not $machinesToInvestigate.Contains($alert.machineId)) + { + $machinesToInvestigate.Add($alert.machineId) > $null + } + } +} + +$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') + +$query = "NetworkCommunicationEvents +| where MachineId in ($commaSeparatedMachines) +| where RemoteUrl == `"$suspiciousUrl`" +| summarize ConnectionsCount = count() by MachineId" + +$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run" + +$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query } +$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop +$response = ($queryResponse | ConvertFrom-Json).Results +$response + +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using Python](run-advanced-query-sample-python.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md new file mode 100644 index 0000000000..55933fb093 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md @@ -0,0 +1,62 @@ +--- +title: Supported Windows Defender Advanced Threat Protection query APIs +description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. +keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 30/07/2018 +--- + +# Supported Windows Defender ATP query APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) + +## End Point URI and Versioning + +### End Point URI: + +> The service base URI is: https://api.securitycenter.windows.com + +> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts + +### Versioning: + +> The API supports versioning. + +> The current version is **V1.0**. + +> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts + +> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. + + +Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. + +## In this section +Topic | Description +:---|:--- +Advanced Hunting | Run queries from API. +Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. +Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization. +File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. +Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. +User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md new file mode 100644 index 0000000000..581c198d4a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -0,0 +1,282 @@ +--- +title: OData queries with Windows Defender ATP +description: OData queries with Windows Defender ATP +keywords: apis, supported apis, odata, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/15/2018 +--- + +# OData queries with Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) + +- Not all properties are filterable. + +### Properties that supports $filter: + +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. +- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. +- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc. + +### Example 1 + +- Get all the machines with the tag 'ExampleTag' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 2 + +- Get all the alerts that created after 2018-10-20 00:00:00 + +``` +HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + . + . + . + ] +} +``` + +### Example 3 + +- Get all the machines with 'High' 'RiskScore' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 4 + +- Get top 100 machines with 'HealthStatus' not equals to 'Active' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 5 + +- Get all the machines that last seen after 2018-10-20 + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 6 + +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP + +``` +HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5", + "type": "RunAntiVirusScan", + "requestor": "Analyst@examples.onmicrosoft.com", + "requestorComment": "1533", + "status": "Succeeded", + "machineId": "123321c10e44a82877af76b1d0161a17843f688a", + "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z", + "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z", + "relatedFileInfo": null + }, + . + . + . + ] +} +``` + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 82d6912c6d..5fd529d286 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -11,10 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/23/2017 --- -# Use the Windows Defender ATP exposed APIs +# Use the Windows Defender ATP exposed APIs (deprecated) **Applies to:** diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..6a846b32c3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,53 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# File resource type + +[!include[Prerelease information](prerelease.md)] + +Represent a file entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file +[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. +[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert. +[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file. + + +# Properties +Property | Type | Description +:---|:---|:--- +sha1 | String | Sha1 hash of the file content +sha256 | String | Sha256 hash of the file content +md5 | String | md5 hash of the file content +globalPrevalence | Integer | File prevalence across organization +globalFirstObserved | DateTimeOffset | First time the file was observed. +globalLastObserved | DateTimeOffset | Last time the file was observed. +size | Integer | Size of the file. +fileType | String | Type of the file. +isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) +filePublisher | String | File publisher. +fileProductName | String | Product name. +signer | String | File signer. +issuer | String | File issuer. +signerHash | String | Hash of the signing certificate. +isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent. + diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5e8d10dd1e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,92 @@ +--- +title: Find machine information by internal IP API +description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. +keywords: ip, apis, graph api, supported apis, find machine, machine information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/25/2018 +--- + +# Find machine information by internal IP API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Find a machine by internal IP. + +>[!NOTE] +>The timestamp must be within the last 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machines/find(timestamp={time},key={IP}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", + "computerDnsName": "", + "firstSeen": "2017-07-06T01:25:04.9480498Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md index 0f74a2e1cf..31dd495489 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 07/25/2018 --- -# Find machine information by internal IP API +# Find machine information by internal IP API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Find a machine entity around a specific timestamp by internal IP. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a3f532f281 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,111 @@ +--- +title: Find machines by internal IP API +description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Find machines by internal IP API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +- The given timestamp must be in the past 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines were found - 200 OK with list of the machines in the response body. +If no machine found - 404 Not Found. +If the timestamp is not in the past 30 days - 400 Bad Request. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z) +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-09-22T08:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "10.248.240.38", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 77d40948be..c1c26a4658 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/23/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md index 12e531ccb6..9a091b8391 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -11,16 +11,21 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get actor information API +# Get actor information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves an actor information report. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md index 216bf3fd90..bd46788176 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get actor related alerts API +# Get actor related alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all alerts related to a given actor. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3cbd5cc31e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,102 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get alert information by ID API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves an alert by its ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442 +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md index d74debcef4..99122fe355 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert information by ID API +# Get alert information by ID API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves an alert by its ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md index 6eb366dc10..6fbf1c4597 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert related actor information API +# Get alert related actor information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the actor information related to the specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5e0a0256ae --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,90 @@ +--- +title: Get alert related domains information +description: Retrieves all domains related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related domain +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get alert related domain information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves all domains related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/domains +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains", + "value": [ + { + "host": "www.example.com" + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md index 4558e6c341..232626e443 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -11,16 +11,23 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert related domain information API +# Get alert related domain information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] + + Retrieves all domains related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a286bb19f9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,103 @@ +--- +title: Get alert related files information +description: Retrieves all files related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related files +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get alert related files information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves all files related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' +Delegated (work or school account) | File.Read.All | 'Read file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/files +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files", + "value": [ + { + "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d", + "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87", + "md5": "82849dc81d94056224445ea73dc6153a", + "globalPrevalence": 33, + "globalFirstObserved": "2018-07-17T18:17:27.5909748Z", + "globalLastObserved": "2018-08-06T16:07:12.9414137Z", + "windowsDefenderAVThreatName": null, + "size": 801112, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": "Microsoft Windows", + "issuer": "Microsoft Development PCA 2014", + "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f", + "isValidCertificate": true + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md index 46fc01cffb..aac3ca91b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert related files information API +# Get alert related files information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all files related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..af24309c36 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,93 @@ +--- +title: Get alert related IPs information +description: Retrieves all IPs related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get alert related IP information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves all IPs related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/ips +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips", + "value": [ + { + "id": "104.80.104.128" + }, + { + "id": "23.203.232.228 + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md index 1952732087..c90e325cd2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert related IP information API +# Get alert related IP information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all IPs related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..55b0895b5f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,103 @@ +--- +title: Get alert related machine information +description: Retrieves all machines related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get alert related machine information API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves machine that is related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine information' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/machine +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md index 52169b949b..9d2b5d8a54 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert related machine information API +# Get alert related machine information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all machines related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a96ecfe588 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,94 @@ +--- +title: Get alert related user information +description: Retrieves the user associated to a specific alert. +keywords: apis, graph api, supported apis, get, alert, information, related, user +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get alert related user information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves the user associated to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' +Delegated (work or school account) | User.Read.All | 'Read user profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/user +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md index c60acf0220..0f7a062536 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alert related user information API +# Get alert related user information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves the user associated to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..45820ed888 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,139 @@ +--- +title: List alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# List alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +- Retrieves a collection of Alerts. +- Supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts +``` + +## Optional query parameters +Method supports $skip and $top query parameters. + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + + +```json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md index 29b9ca446e..4fd7bfe798 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get alerts API +# Get alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves top recent alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md index ae59bae72e..304062eb4b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -10,7 +10,11 @@ ms.sitesec: library ms.pagetype: security ms.author: leonidzh author: mjcaparas -ms.localizationpriority: medium +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..2a44ef58e4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,133 @@ +--- +title: Get domain related alerts API +description: Retrieves a collection of alerts related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get domain related alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + + + + +Retrieves a collection of alerts related to a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/alerts +``` + +## Request headers + +Header | Value +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + { + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` + diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md index 5f0b8ccfc5..056e7fcffd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,16 +11,22 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get domain related alerts API +# Get domain related alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] + Retrieves a collection of alerts related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..00bff8380f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,126 @@ +--- +title: Get domain related machines API +description: Retrieves a collection of machines related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get domain related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines that have communicated to or from a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md index c09460e204..45f5bbd0c4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get domain related machines API +# Get domain related machines API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..f4f669e5a2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,87 @@ +--- +title: Get domain statistics API +description: Retrieves the prevalence for the given domain. +keywords: apis, graph api, supported apis, get, domain, domain related machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get domain statistics API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves the prevalence for the given domain. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", + "host": "example.com", + "orgPrevalence": "4070", + "orgFirstSeen": "2017-07-30T13:23:48Z", + "orgLastSeen": "2017-08-29T13:09:05Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md index 2e3cde9b70..ad4cf3a27b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get domain statistics API +# Get domain statistics API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the prevalence for the given domain. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..792f618d5f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,101 @@ +--- +title: Get file information API +description: Retrieves a file by identifier Sha1, Sha256, or MD5. +keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get file information API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a file by identifier Sha1, Sha256, or MD5. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read all file profiles' +Delegated (work or school account) | File.Read.All | 'Read all file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +GET /api/files/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf", + "md5": "7f05a371d2beffb3784fd2199f81d730", + "globalPrevalence": 7329, + "globalFirstObserved": "2018-04-08T05:50:29.4459725Z", + "globalLastObserved": "2018-08-07T23:35:11.1361328Z", + "windowsDefenderAVThreatName": null, + "size": 391680, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": null, + "issuer": null, + "signerHash": null, + "isValidCertificate": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md index 2d6f45993f..ca11fae786 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get file information API +# Get file information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a file by identifier Sha1, Sha256, or MD5. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..46f6a80f2a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,110 @@ +--- +title: Get file related alerts API +description: Retrieves a collection of alerts related to a given file hash. +keywords: apis, graph api, supported apis, get, file, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get file related alerts API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a collection of alerts related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md index 89272a50e2..d1f066091d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get file related alerts API +# Get file related alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..bf738b355a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,125 @@ +--- +title: Get file related machines API +description: Retrieves a collection of machines related to a given file hash. +keywords: apis, graph api, supported apis, get, machines, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get file related machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves a collection of machines related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md index 62a8f25bcf..a8650d806c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get file related machines API +# Get file related machines API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..17f1f3525d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Get file statistics API +description: Retrieves the prevalence for the given file. +keywords: apis, graph api, supported apis, get, file, statistics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get file statistics API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + + + + +Retrieves the prevalence for the given file. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' +Delegated (work or school account) | File.Read.All | 'Read file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "orgPrevalence": "3", + "orgFirstSeen": "2018-07-15T06:13:59Z", + "orgLastSeen": "2018-08-03T16:45:21Z", + "topFileNames": [ + "chrome_1.exe", + "chrome_2.exe" + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md index 07424aafd3..0e85bdd5e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get file statistics API +# Get file statistics API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Retrieves the prevalence for the given file. diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md index fb469ffac8..86719d8e4d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get FileActions collection API +# Get FileActions collection API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index 0d846e906b..16d879ad08 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get FileMachineAction object API +# Get FileMachineAction object API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Gets file and machine actions. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md index 27eb723cd9..6ff6b4a661 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get FileMachineActions collection API +# Get FileMachineActions collection API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..08817b8e70 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: Get IP related alerts API +description: Retrieves a collection of alerts related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get IP related alerts API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of alerts related to a given IP address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md index 32e5f6f95e..fa65c52796 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get IP related alerts API +# Get IP related alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given IP address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..28d4703b18 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,126 @@ +--- +title: Get IP related machines API +description: Retrieves a collection of machines related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get IP related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a collection of machines that communicated with or from a particular IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "Low", + "rbacGroupName": "The-A-Team", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index acbfa51a4a..756cbde8ab 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- @@ -37,8 +41,7 @@ Content type | application/json Empty ## Response -If successful and IP and machines exists - 200 OK. -If IP or machines do not exist - 404 Not Found. +If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3c2c965ffb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,89 @@ +--- +title: Get IP statistics API +description: Retrieves the prevalence for the given IP. +keywords: apis, graph api, supported apis, get, ip, statistics, prevalence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get IP statistics API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + + +Retrieves the prevalence for the given IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "ipAddress": "10.209.67.177", + "orgPrevalence": "63515", + "orgFirstSeen": "2017-07-30T13:36:06Z", + "orgLastSeen": "2017-08-29T13:32:59Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md index 04783ac39e..01e4b54211 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md index 700a3ded7d..f44abf8b92 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md @@ -10,7 +10,11 @@ ms.sitesec: library ms.pagetype: security ms.author: leonidzh author: mjcaparas -ms.localizationpriority: medium +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3612531147 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,107 @@ +--- +title: Get machine by ID API +description: Retrieves a machine entity by ID. +keywords: apis, graph api, supported apis, get, machines, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get machine by ID API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves a machine entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +GET /api/machines/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body. +If machine with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md index 078641587d..70f7ef1f4c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get machine by ID API +# Get machine by ID API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a machine entity by ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..eb0edbe3e4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,108 @@ +--- +title: Get machine log on users API +description: Retrieves a collection of logged on users. +keywords: apis, graph api, supported apis, get, machine, log on, users +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get machine log on users API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a collection of logged on users. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' +Delegated (work or school account) | User.Read.All | 'Read user profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/{id}/logonusers +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users", + "value": [ + { + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + }, + { + "id": "contoso\\user2", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-05T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md index 0bf2c47c64..1b5ab3844f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get machine log on users API +# Get machine log on users API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of logged on users. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..df392f1ef1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: Get machine related alerts API +description: Retrieves a collection of alerts related to a given machine ID. +keywords: apis, graph api, supported apis, get, machines, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get machine related alerts API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a collection of alerts related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md index 4d976968c0..42bdf1c86f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get machine related alerts API +# Get machine related alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given machine ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..19a78ab6d8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Get MachineAction object API +description: Use this API to create calls related to get machineaction object +keywords: apis, graph api, supported apis, machineaction object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get machineAction API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Get action performed on a machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index 2c94ca5628..5d17696c39 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get MachineAction object API +# Get MachineAction object API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Get actions done on a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..4be4316a45 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,178 @@ +--- +title: List machineActions API +description: Use this API to create calls related to get machineactions collection +keywords: apis, graph api, supported apis, machineaction collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# List MachineActions API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Gets collection of actions done on machines. +- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities. + + +## Example 1 + +**Request** + +Here is an example of the request on an organization that has three MachineActions. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", + "relatedFileInfo": null + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null + }, + { + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z", + "relatedFileInfo": { + "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508", + "fileIdentifierType": "Sha1" + } + } + ] +} +``` + +## Example 2 + +**Request** + +Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. + +``` +GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", + "relatedFileInfo": null + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null + } + ] +} +``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md index c86ead0780..b0b763756d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get MachineActions collection API +# Get MachineActions collection API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md index d98a86a488..acd0502c87 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md @@ -10,7 +10,11 @@ ms.sitesec: library ms.pagetype: security ms.author: leonidzh author: mjcaparas -ms.localizationpriority: medium +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..907c5e5838 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,132 @@ +--- +title: List machines API +description: Retrieves a collection of recently seen machines. +keywords: apis, graph api, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# List machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. +- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +## Permissions + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md index d442db809b..af20fa7c3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -11,15 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get machines API +# Get machines API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of recently seen machines. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md index 8880d2c1b8..f118c229d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -10,7 +10,11 @@ ms.sitesec: library ms.pagetype: security ms.author: leonidzh author: mjcaparas -ms.localizationpriority: medium +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..32bc25c9bd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,88 @@ +--- +title: Get package SAS URI API +description: Use this API to get a URI that allows downloading an investigation package. +keywords: apis, graph api, supported apis, get package, sas, uri +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get package SAS URI API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' +Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri + +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +HTTP/1.1 200 Ok +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String", + "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index 60f0e29f88..929c85a45a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get package SAS URI API +# Get package SAS URI API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Get a URI that allows downloading of an investigation package. diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index 08d0bcb99e..22b8e3e7ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/20/2018 --- # Get started with Windows Defender Advanced Threat Protection @@ -19,6 +23,10 @@ ms.date: 09/03/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ffef895d91 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Get Ti Indicator by ID API +description: Retrieves Ti Indicator entity by ID. +keywords: apis, public api, supported apis, get, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get TI Indicator by ID API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a TI Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. +If TI Indicator with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c08f3eba3d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,113 @@ +--- +title: List TiIndicators API +description: Use this API to create calls related to get TiIndicators collection +keywords: apis, public api, supported apis, TiIndicators collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# List TiIndicators API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + Gets collection of TI Indicators. + Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. + +>[!Note] +> The response will only include TI Indicators that submitted by the calling Application. + + +## Example + +**Request** + +Here is an example of a request that gets all TI Indicators + +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators", + "value": [ + { + "indicator": "12.13.14.15", + "indicatorType": "IpAddress", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "test" + }, + { + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c0f03256f8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,89 @@ +--- +title: Get user information API +description: Retrieve a User entity by key such as user name or domain. +keywords: apis, graph api, supported apis, get, user, user information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get user information API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieve a User entity by key (user name). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read all user profiles' + +## HTTP request +``` +GET /api/users/{id}/ +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1 +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md index c4dfae50e6..9301b0a805 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get user information API +# Get user information API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieve a User entity by key (user name or domain\user). diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..6044ca7009 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,129 @@ +--- +title: Get user related alerts API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get user related alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of alerts related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/users/{id}/alerts +``` + +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exist - 200 OK. If the user do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + { + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index aadcc3dd2b..4884ead11f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/08/2017 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/15/2018 --- -# Get user related alerts API +# Get user related alerts API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..85086a77ec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,129 @@ +--- +title: Get user related machines API +description: Retrieves a collection of machines related to a given user ID. +keywords: apis, graph api, supported apis, get, user, user related alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Get user related machines API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/users/{id}/machines +``` + +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md index 1b66f1961a..0a0c740329 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Get user related machines API +# Get user related machines API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md deleted file mode 100644 index 0f25416ca8..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: How hardware-based containers help protect Windows 10 (Windows 10) -description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -ms.date: 08/01/2018 ---- - - -# Windows Defender System Guard: How hardware-based containers help protect Windows 10 - -Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. -Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. - -Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees: - -- Protect and maintain the integrity of the system as it starts up -- Protect and maintain the integrity of the system after it's running -- Validate that system integrity has truly been maintained through local and remote attestation - -## Maintaining the integrity of the system as it starts - -With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. - -With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). - -After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. - -This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start. - -![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) - -## Maintaining integrity of the system after it’s running (run time) - -Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary. - -With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few. - -![Windows Defender System Guard](images/windows-defender-system-guard.png) - -## Validating platform integrity after Windows is running (run time) - -While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. - -As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. - - -![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png new file mode 100644 index 0000000000..93e294ec2b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png index a4a07d3b92..4449661657 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png new file mode 100644 index 0000000000..f66b75a274 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png new file mode 100644 index 0000000000..0148a800b2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png new file mode 100644 index 0000000000..ac8a62b883 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png new file mode 100644 index 0000000000..867fb4d976 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png new file mode 100644 index 0000000000..51588e0bdc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png new file mode 100644 index 0000000000..f33aa04682 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png new file mode 100644 index 0000000000..1f15b39220 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png new file mode 100644 index 0000000000..b42c9ec193 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png new file mode 100644 index 0000000000..89e20f3a67 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png new file mode 100644 index 0000000000..1f7f423e49 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png new file mode 100644 index 0000000000..eb866e3cce Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png new file mode 100644 index 0000000000..05d76ec807 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png new file mode 100644 index 0000000000..92f46bf116 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png new file mode 100644 index 0000000000..859e4fa8a3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png new file mode 100644 index 0000000000..2114b14c4d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png new file mode 100644 index 0000000000..750bd6e459 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png new file mode 100644 index 0000000000..d5fdf37ac2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png new file mode 100644 index 0000000000..d060becd5b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png new file mode 100644 index 0000000000..62c96acf75 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png new file mode 100644 index 0000000000..7098c8a543 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png new file mode 100644 index 0000000000..5c340e3138 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png new file mode 100644 index 0000000000..b94ee3a009 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png new file mode 100644 index 0000000000..dce1698521 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png new file mode 100644 index 0000000000..049d3ed6ee Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png new file mode 100644 index 0000000000..054470d70e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png new file mode 100644 index 0000000000..00a8756c43 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/siem_details.png b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png new file mode 100644 index 0000000000..94c724f0c8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png new file mode 100644 index 0000000000..8123965c84 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png new file mode 100644 index 0000000000..40f15eb65a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png new file mode 100644 index 0000000000..38e98ce07d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png new file mode 100644 index 0000000000..4ddb1fae83 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png new file mode 100644 index 0000000000..a091db0189 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png new file mode 100644 index 0000000000..be98e49216 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png new file mode 100644 index 0000000000..47203a8151 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png new file mode 100644 index 0000000000..1b8396b50e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png new file mode 100644 index 0000000000..103081f82c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png new file mode 100644 index 0000000000..b7c7e0926f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png new file mode 100644 index 0000000000..8edc069eaf Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png new file mode 100644 index 0000000000..c813929e31 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md new file mode 100644 index 0000000000..475a844fa1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -0,0 +1,27 @@ +--- +title: Improve request performance +description: Improve request performance +keywords: server, request, performance +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 04/24/2018 +--- + +# Improve request performance + + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md index 01abcc2317..c8959b8a9b 100644 --- a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md @@ -11,14 +11,16 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/08/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual --- -# Incidents queue in Windows Defender ATP +# Incidents in Windows Defender ATP **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prerelease information](prerelease.md)] When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md new file mode 100644 index 0000000000..7ca743699d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md @@ -0,0 +1,56 @@ +--- +title: Configure information protection in Windows +description: Learn how to expand the coverage of WIP to protect files based on their label, regardless of their origin. +keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/05/2018 +--- + +# Configure information protection in Windows +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. + +>[!TIP] +> Read our blog post about how [Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). + +## Prerequisites +- Endpoints need to be on Windows 10, version 1809 or later +- You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection integration +- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) + + +## Configuration steps +1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. +2. Define which labels need to get WIP protection in Office 365 Security and Compliance. + + 1. Go to: **Classifications > Labels**. + 2. Create a new label or edit an existing one. + 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP. + + ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) + + 4. Repeat for every label that you want to get WIP applied to in Windows. + +After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them. + +>[!NOTE] +>- The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. +>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. + +## Related topic +- [Information protection in Windows overview](information-protection-in-windows-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md new file mode 100644 index 0000000000..fc95457fbb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md @@ -0,0 +1,102 @@ +--- +title: Information protection in Windows overview +description: Learn about how information protection works in Windows to identify and protect sensitive information +keywords: information, protection, dlp, wip, data, loss, prevention, protect +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 12/05/2018 +--- + +# Information protection in Windows overview +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. + + +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. + +>[!TIP] +> Read our blog post about how [Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). + + +Windows Defender ATP applies two methods to discover and protect data: +- **Data discovery** - Identify sensitive data on Windows devices at risk +- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label + + +## Data discovery +Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). + + +![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) + +After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection. + +The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard. + +### Azure Information Protection - Data discovery dashboard +This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint. + +![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) + + +Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Windows Defender ATP. + +Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. + + +>[!NOTE] +>Windows Defender ATP does not currently report the Information Types. + +### Log Analytics +Data discovery based on Windows Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. + +For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). + +Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). + +To view Windows Defender ATP data, perform a query that contains: + + +``` +InformationProtectionLogs_CL +| where Workload_s == "Windows Defender" +``` + +**Prerequisites:** +- Customers must have a subscription for Azure Information Protection. +- Enable Azure Information Protection integration in Windows Defender Security Center: + - Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**. + + +## Data protection +For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Windows Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. + + +When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). + + +![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) + +Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. + +This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. + +For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). + + +## Related topics +- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 87f2d65c02..caeb9391f8 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- @@ -54,14 +58,11 @@ Some actor profiles include a link to download a more comprehensive threat intel The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. ## Alert process tree -The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. +The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. ![Image of the alert process tree](images/atp-alert-process-tree.png) -The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert. - -The alert and related events or evidence have circles with thunderbolt icons inside them. - +The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] >The alert process tree might not be available in some alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 3529488b89..8da3f67372 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- # Investigate a domain associated with a Windows Defender ATP alert diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index 196e04a38f..d9ae8a7faf 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- # Investigate a file associated with a Windows Defender ATP alert diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index 464c9131b9..4bf073aca3 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -11,7 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/08/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Investigate incidents in Windows Defender ATP @@ -19,7 +22,6 @@ ms.date: 10/08/2018 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prerelease information](prerelease.md)] Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. @@ -36,6 +38,7 @@ Alerts are grouped into incidents based on the following reasons: - Manual association - A user manually linked the alerts - Proximate time - The alerts were triggered on the same machine within a certain timeframe - Same file - The files associated with the alert are exactly the same +- Same URL - The URL that triggered the alert is exactly the same ![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-tooltip.png) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 0a5384f47f..b197fed832 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- # Investigate an IP address associated with a Windows Defender ATP alert diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 2c1fdf3100..838654bcf3 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/18/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index 7850ace854..b47a079791 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- # Investigate a user account in Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..026174d5f5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Is domain seen in org API +description: Use this API to create calls related to checking whether a domain was seen in the organization. +keywords: apis, graph api, supported apis, domain, domain seen +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 04/24/2018 +--- + +# Was domain seen in org +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Answers whether a domain was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Url.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity", + "host": "example.com" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index 892fc60bd3..f2f3f599ed 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -11,12 +11,21 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- -# Is domain seen in org +# Is domain seen in org (deprecated) Answers whether a domain was seen in the organization. +[!include[Deprecatedinformation](deprecate.md)] + + + + ## Permissions User needs read permissions. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..8cfb010fc6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,85 @@ +--- +title: Is IP seen in org API +description: Answers whether an IP was seen in the organization. +keywords: apis, graph api, supported apis, is, ip, seen, org, organization +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Was IP seen in org +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Answers whether an IP was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177 +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity", + "id": "10.209.67.177" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md index d006cede0b..0b86cc08b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Is IP seen in org +# Is IP seen in org (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Answers whether an IP was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a09ded139b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,112 @@ +--- +title: Isolate machine API +description: Use this API to create calls related isolating a machine. +keywords: apis, graph api, supported apis, isolate machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Isolate machine API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Isolates a machine from accessing external network. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' +Delegated (work or school account) | Machine.Isolate | 'Isolate machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/isolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'. + +**IsolationType** controls the type of isolation to perform and can be one of the following: +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) + + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate +Content-type: application/json +{ + "Comment": "Isolate machine due to alert 1234", + “IsolationType”: “Full” +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "b89eb834-4578-496c-8be0-03f004061435", + "type": "Isolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Isolate machine due to alert 1234", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "relatedFileInfo": null +} + +``` + +To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md). diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 61cfbb1c6f..fbff79456d 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Isolate machine API +# Isolate machine API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Isolates a machine from accessing external network. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 3e8115cdf3..42437e4204 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: v-tanewt author: tbit0001 ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/16/2017 --- # Validate licensing provisioning and complete set up for Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 4f1279bc34..577b8b2663 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 05/08/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md index b6fc180e59..61d6e8a22e 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md @@ -11,7 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/13/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Create and manage machine tags @@ -79,4 +82,9 @@ You can manage tags from the Actions button or by selecting a machine from the M ![Image of adding tags on a machine](images/atp-tag-management.png) +## Add machine tags using APIs +For more information, see [Add or remove machine tags API](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md). + + + diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..72b05d4072 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,52 @@ +--- +title: Machine resource type +description: Retrieves top machines +keywords: apis, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/11/2018 +--- + +# Machine resource type + + +# Methods +Method|Return Type |Description +:---|:---|:--- +[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org. +[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity. +[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Add or Remove tag to a specific machine. +[Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Find machines seen with IP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. +computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. +firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +osPlatform | String | OS platform. +osVersion | String | OS Version. +lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +agentVersion | String | Version of WDATP agent. +osBuild | Nullable long | OS build number. +healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +rbacGroupId | Int | RBAC Group ID. +rbacGroupName | String | RBAC Group Name. +riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). +machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..29d142c046 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,52 @@ +--- +title: machineAction resource type +description: Retrieves top recent machineActions. +keywords: apis, supported apis, get, machineaction, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# MachineAction resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities. +[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package. +[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network. +[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation. +[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. +[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. +[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" +requestor | String | Identity of the person that executed the action. +requestorComment | String | Comment that was written when issuing the action. +status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". +machineId | String | Id of the machine on which the action was executed. +creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. +lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. +relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5". + diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md new file mode 100644 index 0000000000..fcbd68ecec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -0,0 +1,6 @@ +--- +ms.date: 08/28/2017 +author: zavidor +--- +>[!Note] +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index 71992afbff..bf990d1101 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 352b56b258..660e1f0cd1 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md index 357ef56c3f..3b6362ab90 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 3f276fd070..94a7712aed 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 06/14/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index 99572285a6..b3d4ebdb7c 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index d078349bb4..f559363b7a 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md index 5252fa2868..b430f21281 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 07/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index 83a65ee991..649d06d0fa 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 010/08/2018 --- @@ -19,9 +23,6 @@ ms.date: 010/08/2018 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prerelease information](prerelease.md)] - - Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. ![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 7154f763fb..0ff8691e5c 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md index 0837b7356d..953abcfa6f 100644 --- a/windows/security/threat-protection/windows-defender-atp/management-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index bcadd41d25..0c182b091a 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -11,11 +11,15 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/19/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/19/2018 --- -# Configure Microsoft Cloud App Security integration +# Configure Microsoft Cloud App Security in Windows **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index c18f430649..75ad85f97d 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -1,7 +1,7 @@ --- title: Microsoft Cloud App Security integration overview -description: -keywords: +description: Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage +keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -11,10 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/18/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 10/18/2018 --- -# Microsoft Cloud App Security integration overview +# Microsoft Cloud App Security in Windows overview **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index e9577e41f5..02bcbfb594 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/06/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/20/2018 --- # Minimum requirements for Windows Defender ATP @@ -23,6 +27,11 @@ There are some minimum requirements for onboarding machines to the service. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) + +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -35,6 +44,7 @@ For more information on the array of features in Windows 10 editions, see [Compa For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + ## Related topic - [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index 71a710869a..1940bd5a74 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 10/29/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a228a7ad08 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,102 @@ +--- +title: Offboard machine API +description: Use this API to offboard a machine from WDATP. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Offboard machine API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Offboard machine from WDATP. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Offboard | 'Offboard machine' +Delegated (work or school account) | Machine.Offboard | 'Offboard machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/offboard +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard +Content-type: application/json +{ + "Comment": "Offboard machine by automation" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "OffboardMachine", + "requestor": "Analyst@contoso.com", + "requestorComment": "offboard machine by automation", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index 17bba254f9..9e1a9a8972 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index aa40fd346e..bc7c30d8a2 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/19/2018 --- # Onboard machines to the Windows Defender ATP service @@ -128,7 +132,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. -The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. +The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . @@ -138,7 +142,7 @@ Before you onboard machines, the diagnostic data service must be enabled. The se ## Windows Defender Antivirus configuration requirement The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. -You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 59c6a4e7a2..0bccc2871e 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -11,7 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/10/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Onboard previous versions of Windows @@ -24,12 +27,14 @@ ms.date: 10/10/2018 - Windows 8.1 Enterprise - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink) Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. +>[!IMPORTANT] +>This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview-windows-defender-advanced-threat-protection.md). + To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to: - Configure and update System Center Endpoint Protection clients. - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below. @@ -46,20 +51,18 @@ Windows Defender ATP integrates with System Center Endpoint Protection to provid The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting +- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud) ## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP ### Before you begin Review the following details to verify minimum system requirements: -- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) or a later monthly update rollup. +- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - - >[!NOTE] - >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) @@ -67,9 +70,9 @@ Review the following details to verify minimum system requirements: >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. >Don't install .NET framework 4.0.x, since it will negate the above installation. +- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) -- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). @@ -89,7 +92,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour. ### Configure proxy and Internet connectivity settings -- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). +- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: Agent Resource | Ports diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md index eff2042b2e..6a260ac891 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md index fdd308623f..f69f7f9a83 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 07/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index de0be3f887..a9c37011dc 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 10/29/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index ae60213fe2..a282188a74 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -11,35 +11,33 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- -# Overview of endpoint detection and response +# Overview of endpoint detection and response **Applies to:** + - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. -The Windows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. +When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. +Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. -When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. - -Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes and others. This information is stored for six months, enabling an analyst to travel back in time to the starting point of an attack and pivot in various views and approach an investigation through multiple possible vectors. - -The response capabilities give you the power to promptly remediate threats by acting on the affected entities. +The response capabilities give you the power to promptly remediate threats by acting on the affected entities. ## In this section -Topic | Description +Topic | Description :---|:--- -Security operations dashboard | This is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. -Alerts queue | This dashboard shows all the alerts that were seen on machines. Learn how you can view and organize the queue, or how to manage and investigate alerts. -Machines list | Shows a list of machines where alerts have been generated. Learn how you can investigate machines, or how to search for specific events in a timeline, and others. -Take response actions | Learn about the available response actions and how to apply them on machines and files. - - - - - - +[Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | Explore a high level overview of detections, highlighting where response actions are needed. +[Incidents queue](incidents-queue.md) | View and organize the incidents queue, and manage and investigate alerts. +[Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | View and organize the machine alerts queue, and manage and investigate alerts. +[Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) | Investigate machines with generated alerts and search for specific events over time. +[Take response actions](response-actions-windows-defender-advanced-threat-protection.md) | Learn about the available response actions and apply them to machines and files. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md index 99b9d8721c..f98065e413 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md @@ -8,6 +8,10 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.author: justinha ms.date: 09/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md index 5bed487738..f23f20f711 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/12/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md index 7e3637ad4f..e6b0df0de0 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index 9741504d5c..90ad7887df 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/20/2018 --- # Overview of Windows Defender ATP capabilities @@ -21,6 +25,10 @@ ms.date: 09/03/2018 Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + ## In this section Topic | Description diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 562664aec0..b32528daaa 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..52645783c6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,119 @@ +--- +title: Submit or Update Ti Indicator API +description: Use this API to submit or Update Ti Indicator. +keywords: apis, graph api, supported apis, submit, ti, ti indicator, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Submit or Update TI Indicator API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | TI indicator alert title. **Optional** +expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** +description | String | Description of the indicator. **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** + + +## Response +- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action. + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/tiindicators +Content-type: application/json +{ + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 48c6104eb8..6c737bf2c1 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -10,7 +10,11 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 10/19/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/26/2018 --- @@ -20,6 +24,10 @@ ms.date: 10/19/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Prerelease information](prerelease.md)] + +>[!TIP] +>Go to **Advanced features** in the **Settings** page to turn on the preview features. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) @@ -200,5 +208,10 @@ There are a couple of tabs on the report that's generated: In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention. +## Related topic +- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 545da6110c..406846d961 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index d408ead55e..980babf64a 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- # Configure Windows Defender Security Center settings diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index a3411e8a2a..7095ae73d1 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- # Turn on the preview experience in Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index f77b086c9e..c60119b6e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -11,7 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/05/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual --- # Windows Defender ATP preview features @@ -39,9 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Incidents](incidents-queue.md)
      -Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. - +- [Information protection](information-protection-in-windows-overview.md)
      +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. - [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
      Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. @@ -49,14 +51,10 @@ Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to - [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#windows-server-version-1803-and-windows-server-2019)
      Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. - -- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
      -Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor - - Windows 7 SP1 Enterprise - - Windows 7 SP1 Pro - - Windows 8.1 Enterprise - - Windows 8.1 Pro - +- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
      +Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 4ede6cb172..69d7354d93 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/26/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/19/2018 --- # Pull Windows Defender ATP alerts using REST API @@ -73,7 +77,7 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599" + "expires_in": "3599", "ext_expires_in": "0", "expires_on": "1488720683", "not_before": "1488720683", @@ -98,7 +102,7 @@ Authorization | string | Required. The Azure AD access token in the form **Beare ### Request parameters -Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization. +Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours. Name | Value| Description :---|:---|:--- @@ -106,6 +110,9 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
      The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

      **NOTE**: When not specified, the default value will be the current time. string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

      Value should be set according to **ISO 8601** duration format
      E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

      **NOTE**: When not specified, all alerts available in the time range will be retrieved. +machinegroups | String | Specifies machine groups to pull alerts from.

      **NOTE**: When not specified, alerts from all machine groups will be retrieved.

      Example:

      ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +DeviceCreatedMachineTags | string | Single machine tag from the registry. +CloudCreatedMachineTags | string | Machine tags that were created in Windows Defender Security Center. ### Request example The following example demonstrates how to retrieve all the alerts in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index 57d3428cbc..01a648cb4f 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index bc2837f2bb..f2c279e739 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 05/08/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index 8c0f6851d1..4d7432ff2f 100644 --- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Request sample API +# Request sample API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index e6e881df90..8f7a09142a 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index cdc3c156e4..c82e80bdbd 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/05/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/28/2018 --- # Take response actions on a machine @@ -122,6 +126,7 @@ In addition to the ability of containing an attack by stopping malicious process >[!IMPORTANT] > - This action is available for machines on Windows 10, version 1709 or later. +> - This feature is available if your organization uses Windows Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). @@ -182,7 +187,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. @@ -198,7 +203,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne ![Image of isolate machine](images/atp-actions-isolate-machine.png) -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation'). ![Image of isolation confirmation](images/atp-confirm-isolate.png) diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 202606d056..0c62d93571 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 11/12/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5cf3e7bd28 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Restrict app execution API +description: Use this API to create calls related to restricting an application from executing. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Restrict app execution API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' +Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution +Content-type: application/json +{ + "Comment": "Restrict code execution due to alert 1234" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "78d408d1-384c-4c19-8b57-ba39e378011a", + "type": "RestrictCodeExecution", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Restrict code execution due to alert 1234", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": null +} + +``` + +To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index 3eb57786f8..3f75d91bd0 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -11,15 +11,19 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Restrict app execution API +# Restrict app execution API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Restrict execution of set of predefined applications. diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md new file mode 100644 index 0000000000..b3d7d901b7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -0,0 +1,155 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/03/2018 +--- + +# Advanced hunting API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prerelease information](prerelease.md)] + + + +This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting). + + +## Limitations +This API is a beta version only and is currently restricted to the following actions: +1. ​You can only run a query on data from the last 30 days +2. The results will include a maximum of 10,000 rows +3. The number of executions is limited​ (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | AdvancedQuery.Read.All | 'Run advanced queries' +Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data') +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/advancedqueries/run +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Query | Text | The query to run. **Required**. + +## Response +If successful, this method returns 200 OK, and _QueryResponse_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/advancedqueries/run +Content-type: application/json +{ + "Query":"ProcessCreationEvents +| where InitiatingProcessFileName =~ \"powershell.exe\" +| where ProcessCommandLine contains \"appdata\" +| project EventTime, FileName, InitiatingProcessFileName +| limit 2" +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 200 OK +Content-Type: application/json​ +{ + "Schema": [{ + "Name": "EventTime", + "Type": "DateTime" + }, + { + "Name": "FileName", + "Type": "String" + }, + { + "Name": "InitiatingProcessFileName", + "Type": "String" + }], + "Results": [{ + "EventTime": "2018-07-09T07:16:26.8017265", + "FileName": "csc.exe", + "InitiatingProcessFileName": "powershell.exe" + }, + { + "EventTime": "2018-07-08T19:00:02.7798905", + "FileName": "gpresult.exe", + "InitiatingProcessFileName": "powershell.exe" + }] +} + + +``` + +## T​roubl​eshoot issues + +- Error: (403) Forbidden + + + If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission. + + Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token. + + If the 'roles' section in the token does not include the necessary permission: + + - The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, + - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent). + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md new file mode 100644 index 0000000000..90d62c40c1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md @@ -0,0 +1,92 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/24/2018 +--- + +# Schedule Advanced Hunting using Microsoft Flow +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Schedule advanced query. + +## Before you begin +You first need to [create an app](apis-intro.md). + +## Use case + +A common scenario is scheduling an advanced query and using the results for follow up actions and processing. +In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)). + +## Define a flow to run query and parse results + +Use the following basic flow as an example. + +1. Define the trigger – Recurrence by time. + +2. Add an action: Select HTTP. + + ![Image of MsFlow choose an action](images/ms-flow-choose-action.png) + + - Set method to be POST + - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations + - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run + - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run + - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run + - Add the Header: Content-Type application/json + - In the body write your query surrounded by single quotation mark (') + - In the Advanced options select Authentication to be Active Directory OAuth + - Set the Tenant with proper AAD Tenant Id + - Audience is https://api.securitycenter.windows.com + - Client ID is your application ID + - Credential Type should be Secret + - Secret is the application secret generated in the Azure Active directory. + + ![Image of MsFlow define action](images/ms-flow-define-action.png) + +3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result. + + ![Image of MsFlow parse json](images/ms-flow-parse-json.png) + +## Expand the flow to use the query results + +The following section shows how to use the parsed results to insert them in SQL database. + +This is an example only, you can use other actions supported by Microsoft Flow. + +- Add an 'Apply to each' action +- Select the Results json (which was an output of the last parse action) +- Add an 'Insert row' action – you will need to supply the connection details +- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. + +![Image of insert into DB](images/ms-flow-insert-db.png) + +The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: + +![Image of select from DB](images/ms-flow-read-db.png) + +## Full flow definition + +You can find below the full definition + +![Image of E2E flow](images/ms-flow-e2e.png) + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md new file mode 100644 index 0000000000..dbbd0cd122 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -0,0 +1,138 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI (app authentication) + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using **application token**. + +If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial. + +>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query + + ``` + let + + TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here + AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here + AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here + + ResourceAppIdUrl = "https://api.securitycenter.windows.com", + OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""), + + Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="), + ClientId = Text.Combine({"client_id", AppId}, "="), + ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="), + GrantType = Text.Combine({"grant_type", "client_credentials"}, "="), + + Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"), + + AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])), + AccessToken= AuthResponse[access_token], + Bearer = Text.Combine({"Bearer", AccessToken}, " "), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", + + Response = Json.Document(Web.Contents( + AdvancedHuntingUrl, + [ + Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer], + Content=Json.FromValue([#"Query"=Query]) + ] + )), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Anonymous** and click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-anonymous.png) + +- Repeat the previous step for the second URL + +- Click **Continue** + + ![Image of edit data privacy](images/power-bi-edit-data-privacy.png) + +- Select the privacy level you want and click **Save** + + ![Image of set data privacy](images/power-bi-set-data-privacy.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md) +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md new file mode 100644 index 0000000000..f4b88a4481 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -0,0 +1,119 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI (user authentication) +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using **user token**. + +If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial. + +## Before you begin +You first need to [create an app](exposed-apis-create-app-nativeapp.md). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of Query + + ``` + let + + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", + + FormattedQuery= Uri.EscapeDataString(Query), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery, + + Response = Json.Document(Web.Contents(AdvancedHuntingUrl)), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Organizational account** > **Sign in** + + ![Image of set credentials](images/power-bi-set-credentials-organizational.png) + +- Enter your credentials and wait to be signed in + +- Click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md) +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md new file mode 100644 index 0000000000..88eb22a167 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md @@ -0,0 +1,123 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/24/2018 +--- + +# Advanced Hunting using PowerShell +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). + +In this section we share PowerShell samples to retrieve a token and use it to run a query. + +## Before you begin +You first need to [create an app](apis-intro.md). + +## Preparation instructions + +- Open a PowerShell window. +- If your policy does not allow you to run the PowerShell commands, you can run the below command: +``` +Set-ExecutionPolicy -ExecutionPolicy Bypass +``` + +>For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) + +## Get token + +- Run the following: + +``` +$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here + +$resourceAppIdUri = 'https://api.securitycenter.windows.com' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$body = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop +$aadToken = $response.access_token + +``` + +where +- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- $appSecret: Secret of your AAD app + +## Run query + +Run the following query: + +``` +$query = 'RegistryEvents | limit 10' # Paste your own query here + +$url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $aadToken" +} +$body = ConvertTo-Json -InputObject @{ 'Query' = $query } +$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop +$response = $webResponse | ConvertFrom-Json +$results = $response.Results +$schema = $response.Schema +``` + +- $results contains the results of your query +- $schema contains the schema of the results of your query + +### Complex queries + +If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command: + +``` +$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file +``` + +## Work with query results + +You can now use the query results. + +To output the results of the query in CSV format in file file1.csv do the below: + +``` +$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv +``` + +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +$results | ConvertTo-Json | Set-Content file1.json +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using Python](run-advanced-query-sample-python.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md new file mode 100644 index 0000000000..2b39edf624 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md @@ -0,0 +1,150 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 30/07/2018 +--- + +# Advanced Hunting using Python +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). + +In this section we share Python samples to retrieve a token and use it to run a query. + +>**Prerequisite**: You first need to [create an app](apis-intro.md). + +## Get token + +- Run the following: + +``` + +import json +import urllib.request +import urllib.parse + +tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here + +url = "https://login.windows.net/%s/oauth2/token" % (tenantId) + +resourceAppIdUri = 'https://api.securitycenter.windows.com' + +body = { + 'resource' : resourceAppIdUri, + 'client_id' : appId, + 'client_secret' : appSecret, + 'grant_type' : 'client_credentials' +} + +data = urllib.parse.urlencode(body).encode("utf-8") + +req = urllib.request.Request(url, data) +response = urllib.request.urlopen(req) +jsonResponse = json.loads(response.read()) +aadToken = jsonResponse["access_token"] + +``` + +where +- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- appSecret: Secret of your AAD app + +## Run query + + Run the following query: + +``` +query = 'RegistryEvents | limit 10' # Paste your own query here + +url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +headers = { + 'Content-Type' : 'application/json', + 'Accept' : 'application/json', + 'Authorization' : "Bearer " + aadToken +} + +data = json.dumps({ 'Query' : query }).encode("utf-8") + +req = urllib.request.Request(url, data, headers) +response = urllib.request.urlopen(req) +jsonResponse = json.loads(response.read()) +schema = jsonResponse["Schema"] +results = jsonResponse["Results"] + +``` + +- schema contains the schema of the results of your query +- results contains the results of your query + +### Complex queries + +If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command: + +``` +queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file +query = queryFile.read() +queryFile.close() +``` + +## Work with query results + +You can now use the query results. + +To iterate over the results do the below: + +``` +for result in results: + print(result) # Prints the whole result + print(result["EventTime"]) # Prints only the property 'EventTime' from the result + + +``` + + +To output the results of the query in CSV format in file file1.csv do the below: + +``` +import csv + +outputFile = open("D:\\Temp\\file1.csv", 'w') +output = csv.writer(outputFile) +output.writerow(results[0].keys()) +for result in results: + output.writerow(result.values()) + +outputFile.close() +``` + +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +outputFile = open("D:\\Temp\\file1.json", 'w') +json.dump(results, outputFile) +outputFile.close() +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..4a58f9eedf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,111 @@ +--- +title: Run antivirus scan API +description: Use this API to create calls related to running an antivirus scan on a machine. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Run antivirus scan API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Initiate Windows Defender Antivirus scan on a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Scan | 'Scan machine' +Delegated (work or school account) | Machine.Scan | 'Scan machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +ScanType| String | Defines the type of the Scan. **Required**. + +**ScanType** controls the type of scan to perform and can be one of the following: + +- **Quick** – Perform quick scan on the machine +- **Full** – Perform full scan on the machine + + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan +Content-type: application/json +{ + "Comment": "Check machine for viruses due to alert 3212", + “ScanType”: “Full” +} +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index 73333ff005..8ed75cb329 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -11,15 +11,19 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Run antivirus scan API +# Run antivirus scan API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Initiate Windows Defender Antivirus scan on the machine. diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index e0cf7f036b..ec866e736e 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/07/2018 --- @@ -39,11 +43,11 @@ Run the following PowerShell script on a newly onboarded machine to verify that 3. At the prompt, copy and run the following command: ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe' + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. ## Related topics - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 6fff222564..2a6ed6838b 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -10,6 +10,10 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/26/2018 --- @@ -49,7 +53,7 @@ Machines are considered "well configured" for Windows Defender AV if the followi - Windows Defender AV is reporting correctly - Windows Defender AV is turned on -- Signature definitions are up to date +- Security intelligence is up to date - Real-time protection is on - Potentially Unwanted Application (PUA) protection is enabled @@ -62,7 +66,7 @@ You can take the following actions to increase the overall security score of you - Fix antivirus reporting - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). - Turn on antivirus -- Update antivirus definitions +- Update antivirus Security intelligence - Turn on real-time protection - Turn on PUA protection @@ -236,7 +240,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba >This security control is only applicable for machines with Windows 10, version 1803 or later. #### Minimum baseline configuration setting for BitLocker -- Ensure all supported internal drives are encrypted +- Ensure all supported drives are encrypted - Ensure that all suspended protection on drives resume protection - Ensure that drives are compatible diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index a5f69cd49c..7c773ae71b 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/04/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index b74a5f896b..9189cf364e 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..49687ff26c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: Stop and quarantine file API +description: Use this API to stop and quarantine file. +keywords: apis, graph api, supported apis, stop and quarantine file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Stop and quarantine file API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Stop execution of a file on a machine and delete it. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.StopAndQuarantine | 'Stop And Quarantine' +Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "141408d1-384c-4c19-8b57-ba39e378011a", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": { + "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", + "fileIdentifierType": "Sha1" + } +} + +``` + diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 06af6fc6af..f3b54eaefe 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -11,15 +11,19 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Stop and quarantine file API +# Stop and quarantine file API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecated information](deprecate.md)] Stop execution of a file on a machine and ensure it’s not executed again on that machine. diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index e5bb46bc1d..a01fb9ed2b 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -11,18 +11,21 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- -# Supported Windows Defender ATP query APIs +# Supported Windows Defender ATP query APIs (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) - Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. ## In this section @@ -38,5 +41,4 @@ User | Run API calls such as get alert related user information, user informatio KbInfo | Run API call that gets list of Windows KB's information CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's MachineSecurityStates | Run API call that gets list of machines with their security properties and versions -MachineGroups | Run API call that gets list of machine group definitions - +MachineGroups | Run API call that gets list of machine group definitions \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index 55dd5a1cfc..bc06fcaf60 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 12/01/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index 4aab3cf41a..bbcdcee3cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/03/2018 --- @@ -29,7 +33,7 @@ Note the following requirements and limitations of the charts and what you might - Only active machines running Windows 10 are checked for OS mitigations. - When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only. -- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to definition version 1.259.1545.0 or above. +- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to Security intelligence version 1.259.1545.0 or above. - To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information. ## Assess organizational risk with Threat analytics diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index ba29920b5d..a4669b615e 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/29/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 155f23aef6..32eb1e6116 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index e0301cebc1..0791b9b679 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/12/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 12/03/2018 --- # Microsoft Threat Protection @@ -28,24 +32,30 @@ Microsoft's multiple layers of threat protection across data, applications, devi Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers. -## Conditional access -Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. - -## Office 365 Advanced Threat Protection (Office 365 ATP) -[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. - ## Azure Advanced Threat Protection (Azure ATP) Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. -## Skype for Business -The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. - ## Azure Security Center Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. +## Azure Information Protection +Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. + +## Conditional access +Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. + + ## Microsoft Cloud App Security Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +## Office 365 Advanced Threat Protection (Office 365 ATP) +[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. + +## Skype for Business +The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. + + + ## Related topic - [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e7d1f84fe2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,49 @@ +--- +title: TiIndicator resource type +description: TiIndicator entity description. +keywords: apis, supported apis, get, TiIndicator, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# TI(threat intelligence) Indicator resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + + +# Properties +Property | Type | Description +:---|:---|:--- +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" +title | String | Ti indicator alert title. +creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. +createdBy | String | Identity of the user/application that submitted the indicator. +expirationTime | DateTimeOffset | The expiration time of the indicator +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" +description | String | Description of the indicator. +recommendedActions | String | TI indicator alert recommended actions. + + diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index e513ef6ba4..9fb06adc92 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 02/13/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 193e3acb5f..89c8c201fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting ms.date: 06/25/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 01a0beefda..61bb32e5a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: v-tanewt author: tbit0001 ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting ms.date: 08/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 3a34547911..82e4b1c6f7 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting ms.date: 09/07/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index ec2722306c..e652ed98c1 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 02/13/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting +ms.date: 11/08/2018 --- # Troubleshoot SIEM tool integration issues @@ -67,6 +71,12 @@ If you encounter an error when trying to get a refresh token when using the thre 6. Click **Save**. +## Error while enabling the SIEM connector application +If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. + + + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md index 272709e22a..fccd8ca55a 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting ms.date: 09/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 2f5332e094..ee883b6d7f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting ms.date: 07/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index fffb9ad229..1736e61abf 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Unblock file API +# Unblock file API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Allow a file to be executed in the organization, using Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..07203db964 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: Release machine from isolation API +description: Use this API to create calls related to release a machine from isolation. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Release machine from isolation API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Undo isolation of a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' +Delegated (work or school account) | Machine.Isolate | 'Isolate machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate +Content-type: application/json +{ + "Comment": "Unisolate machine since it was clean and validated" +} + +``` +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558", + "type": "Unisolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Unisolate machine since it was clean and validated ", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z", + "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z", + "relatedFileInfo": null +} + +``` + +To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index 560416bc51..75c9b7f246 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Release machine from isolation API +# Release machine from isolation API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Undo isolation of a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d6bd15719c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,104 @@ +--- +title: Remove app restriction API +description: Use this API to create calls related to removing a restriction from applications from executing. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Remove app restriction API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Enable execution of any application on the machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' +Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution +``` + +## Request headers +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Unrestrict code execution since machine was cleaned and validated" +} + +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@contoso.com", + "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "relatedFileInfo": null +} + +``` + +To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index 10def5a55d..413288c9bf 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -11,16 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 12/08/2017 --- -# Remove app restriction API +# Remove app restriction API (deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +[!include[Deprecatedinformation](deprecate.md)] Unrestrict execution of set of predefined applications. diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..8c700cf5fd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,112 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# Update alert +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] +Update the properties of an alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +PATCH /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. + +Property | Type | Description +:---|:---|:--- +status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the alert +classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' + + +## Response +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442 +Content-Type: application/json +{ + "assignedTo": "secop2@contoso.com" +} +``` + +**Response** + +Here is an example of the response. + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop2@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md new file mode 100644 index 0000000000..20e1451805 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md @@ -0,0 +1,30 @@ +--- +title: Use the Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/28/2018 +--- + +# Use the Windows Defender ATP exposed APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +## In this section +Topic | Description +:---|:--- +Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP [on behalf of a user](exposed-apis-create-app-nativeapp.md) or [without a user](exposed-apis-create-app-webapp.md). +Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). +How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md). diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index 261e038a76..ad0f8cbfec 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index b61baaafb2..ac8f1799c4 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 03/12/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 505e031a5a..89ee51ebff 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Create and manage roles for role-based access control -description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation +description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -11,7 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article --- # Create and manage roles for role-based access control @@ -25,21 +28,23 @@ ms.date: 09/03/2018 ## Create roles and assign the role to an Azure Active Directory group The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups. -1. In the navigation pane, select **Settings > Role based access control > Roles**. +1. In the navigation pane, select **Settings > Roles**. 2. Click **Add role**. 3. Enter the role name, description, and permissions you'd like to assign to the role. - **Role name** - - **Description** - - **Permissions** - **View data** - Users can view information in the portal. - - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. - - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. + + >[!NOTE] + >This setting is only available in the Windows Defender ATP administrator (default) role. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. 4. Click **Next** to assign the role to an Azure AD group. diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..12ad0a75b8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,27 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/08/2017 +--- + +# User resource type + +Method|Return Type |Description +:---|:---|:--- +[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md). +[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md). + + diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md index 7ecf9f1fda..e4a0548379 100644 --- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article ms.date: 10/08/2018 --- @@ -18,7 +22,6 @@ ms.date: 10/08/2018 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prerelease information](prerelease.md)] The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md new file mode 100644 index 0000000000..17510d55c1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -0,0 +1,92 @@ +--- +title: What's new in Windows Defender ATP +description: Lists the new features and functionality in Windows Defender ATP +keywords: what's new in windows defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# What's new in Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Here are the new features in the latest release of Windows Defender ATP. + +## Windows Defender ATP 1809 +- [Incidents](incidents-queue.md)
      +Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. + +- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
      Support for iOS and Android devices are now supported. + +- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
      +Controlled folder access is now supported on Windows Server 2019. + +- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
      +All Attack surface reduction rules are now supported on Windows Server 2019. +For Windows 10, version 1809 there are two new attack surface reduction rules: + - Block Adobe Reader from creating child processes + - Block Office communication application from creating child processes. + +- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) + - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). + - Windows Defender Antivirus can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security. + - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans. + + + +- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
      +Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + +- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
      +With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
      +Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. + +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
      +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
      +Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. + +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
      +Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
      +Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. + +- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
      +Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. + +## Windows Defender ATP 1803 +- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +New attack surface reduction rules: + - Use advanced protection against ransomware + - Block credential stealing from the Windows local security authority subsystem (lsass.exe) + - Block process creations originating from PSExec and WMI commands + - Block untrusted and unsigned processes that run from USB + - Block executable content from email client and webmail + + +- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
      +You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. +- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
      +Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus). + +- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
      Query data using Advanced hunting in Windows Defender ATP + +- [Automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
      Use Automated investigations to investigate and remediate threats + +- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
      Enable conditional access to better protect users, devices, and data + diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index abe99e8194..f47bbf1c7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -11,7 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/26/2018 +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -22,7 +26,7 @@ ms.date: 10/26/2018 Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -indows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: +Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. @@ -66,6 +70,11 @@ indows Defender ATP uses the following combination of technology built into Wind + +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + **[Attack surface reduction](overview-attack-surface-reduction.md)**
      The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. @@ -76,8 +85,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](overview-endpoint-detection-response.md)**
      -Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](overview-endpoint-detection-response.md)**
      +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md index 9791947810..d85d398e43 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -11,6 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual ms.date: 07/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 360b2a59c8..f010ab338b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -1,6 +1,6 @@ --- title: Use attack surface reduction rules to prevent malware infection -description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/15/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -20,24 +19,25 @@ ms.date: 10/15/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides: +Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. -- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as: - - Executable files and scripts used in Office apps or web mail that attempt to download or run files - - Scripts that are obfuscated or otherwise suspicious - - Behaviors that apps undertake that are not usually initiated during normal day-to-day work -- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks -- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. -When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. +Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: -## Requirements +- Executable files and scripts used in Office apps or web mail that attempt to download or run files +- Obfuscated or otherwise suspicious scripts +- Behaviors that apps don't usually initiate during normal day-to-day work -Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. + +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. + +For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). ## Attack surface reduction rules -The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. +The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy: Rule name | GUID -|- @@ -48,170 +48,194 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps: +Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. -- Microsoft Word -- Microsoft Excel -- Microsoft PowerPoint -- Microsoft OneNote +### Block executable content from email client and webmail -The rules do not apply to any other Office apps. - -### Rule: Block executable content from email client and webmail - -This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): +This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers: - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -- Script archive files + +Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) + +SCCM name: Block executable content from email client and webmail + +GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 + +### Block all Office applications from creating child processes + +This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. + +This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. + +Intune name: Office apps launching child processes + +SCCM name: Block Office application from creating child processes + +GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A + +### Block Office applications from creating executable content + +This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. + +This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. + +Intune name: Office apps/macros creating executable content + +SCCM name: Block Office applications from creating executable content + +GUID: 3B576869-A4EC-4529-8536-B80A7769E899 + +### Block Office applications from injecting code into other processes + +Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection. + +This rule applies to Word, Excel, and PowerPoint. + +Intune name: Office apps injecting code into other processes (no exceptions) + +SCCM name: Block Office applications from injecting code into other processes + +GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 + +### Block JavaScript or VBScript from launching downloaded executable content + +Malware often uses JavaScript and VBScript scripts to launch other malicious apps. + +Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run. >[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). +>File and folder exclusions don't apply to this attack surface reduction rule. -### Rule: Block all Office applications from creating child processes +Intune name: js/vbs executing payload downloaded from Internet (no exceptions) -Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +SCCM name: Block JavaScript or VBScript from launching downloaded executable content -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +GUID: D3E037E1-3EB8-44C8-A917-57927947596D -### Rule: Block Office applications from creating executable content +### Block execution of potentially obfuscated scripts -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. -Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. +Intune name: Obfuscated js/vbs/ps/macro code -### Rule: Block Office applications from injecting code into other processes +SCCM name: Block execution of potentially obfuscated scripts. -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. +GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. +### Block Win32 API calls from Office macros ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). +Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface. -### Rule: Block JavaScript or VBScript From launching downloaded executable content +Intune name: Win32 imports from Office macro code -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. +SCCM name: Block Win32 API calls from Office macros -This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - -### Rule: Block execution of potentially obfuscated scripts - -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. - -This rule prevents scripts that appear to be obfuscated from running. - -### Rule: Block Win32 API calls from Office macro - -Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. - -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. - -### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: +This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +Intune name: Executables that don't meet a prevalence, age, or trusted list criteria + +SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 -### Rule: Use advanced protection against ransomware +### Use advanced protection against ransomware -This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +Intune name: Advanced ransomware protection + +SCCM name: Use advanced protection against ransomware + +GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 -### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) +### Block credential stealing from the Windows local security authority subsystem (lsass.exe) Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - >[!NOTE] - >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +Intune name: Flag credential stealing from the Windows local security authority subsystem + +SCCM name: Block credential stealing from the Windows local security authority subsystem + +GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + +### Block process creations originating from PSExec and WMI commands -### Rule: Block process creations originating from PSExec and WMI commands - This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. +>[!IMPORTANT] +>File and folder exclusions do not apply to this attack surface reduction rule. + >[!WARNING] ->[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] +>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. + +Intune name: Process creation from PSExec and WMI commands + +SCCM name: Not applicable + +GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c -### Rule: Block untrusted and unsigned processes that run from USB +### Block untrusted and unsigned processes that run from USB With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes +Intune name: Untrusted and unsigned processes that run from USB -Office communication apps will not be allowed to create child processes. This includes Outlook. +SCCM name: Block untrusted and unsigned processes that run from USB -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -### Rule: Block Adobe Reader from creating child processes +### Block Office communication application from creating child processes -This rule blocks Adobe Reader from creating child processes. +This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. -## Review attack surface reduction rule events in the Windows Defender ATP Security Center +>[!NOTE] +>This rule applies to Outlook and Outlook.com only. -Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Intune name: Not yet available -You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled. +SCCM name: Not yet available -## Review attack surface reduction rule events in Windows Event Viewer +GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 -You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): +### Block Adobe Reader from creating child processes -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +Intune name: Not applicable -3. On the left panel, under **Actions**, click **Import custom view...** - -4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +SCCM name: Not applicable -5. Click **OK**. +GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: - - Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - -### Event fields - -- **ID**: matches with the Rule-ID that triggered the block/audit. -- **Detection time**: Time of detection -- **Process Name**: The process that performed the "operation" that was blocked/audited -- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus - -## Attack surface reduction rules in Windows 10 Enterprise E3 - -A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3). - - ## In this section - -Topic | Description ----|--- -[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. -[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. -[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. +## Related topics +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 0131be7167..a17ef04dd9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -21,7 +21,7 @@ ms.date: 09/18/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -You can enable attack surface reduction rules, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. +You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. @@ -69,4 +69,4 @@ You can also use the a custom PowerShell script that enables the features in aud - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Protect your network](network-protection-exploit-guard.md) -- [Protect important folders](controlled-folders-exploit-guard.md) \ No newline at end of file +- [Protect important folders](controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 21c0acfc51..68bff70bd4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/29/2018 --- # Protect important folders with controlled folder access @@ -33,6 +33,7 @@ The protected folders include common system folders, and you can [add additional You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. ## Requirements diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 8bbe633287..2b00cbb179 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 +ms.date: 12/19/2018 --- # Customize attack surface reduction rules @@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. +You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. This could potentially allow unsafe files to run and infect your devices. @@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. +Exclusions apply to all attack surface reduction rules. ->[!IMPORTANT] ->Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). - - -Rule description | Rule honors exclusions | GUID +Rule description | GUID -|:-:|- -Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D -Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 7591a39db0..2ad55e0a66 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Customize exploit protection @@ -53,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] >[!IMPORTANT] >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 675f449f0b..c89bbdc0fa 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,101 +11,168 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 --- # Enable attack surface reduction rules -**Applies to:** +[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +## Exclude files and folders from ASR rules + +You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. + +>[!WARNING] +>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. +> +>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). + +>[!IMPORTANT] +>File and folder exclusions do not apply to the following ASR rules: +> +>- Block process creations originating from PSExec and WMI commands +>- Block JavaScript or VBScript from launching downloaded executable content + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. + +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). + +The following procedures for enabling ASR rules include instructions for how to exclude files and folders. ## Enable and audit attack surface reduction rules -You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. +It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs. -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup. -Attack surface reduction rules are identified by their unique rule ID. +For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md). -You can manually add the rules by using the GUIDs in the following table: +Each ASR rule contains three settings: -Rule description | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +* Not configured: Disable the ASR rule +* Block: Enable the ASR rule +* Audit: Evaluate how the ASR rule would impact your organization if enabled -See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. +For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). -### Use Group Policy to enable or audit attack surface reduction rules +### Enable ASR rules in Intune -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. +3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: + + -4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: +4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. + +### Enable ASR rules in SCCM + +For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). + +### Enable ASR rules with Group Policy + +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. + +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Block mode = 1 - - Disabled = 0 - - Audit mode = 2 + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 -![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. -### Use PowerShell to enable or audit attack surface reduction rules +### Enable ASR rules with PowerShell + +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` -You can enable the feature in audit mode using the following cmdlet: + To enable ASR rules in audit mode, use the following cmdlet: -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode -``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode + ``` ->[!IMPORTANT> ->You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list. -> ->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: -> ->```PowerShell ->Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode ->``` + To turn off ASR rules, use the following cmdlet: + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled + ``` -You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + >[!IMPORTANT] + >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. + > + >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: + > + >```PowerShell + >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode + >``` ->[!WARNING] ->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. ->You can obtain a list of rules and their current state by using `Get-MpPreference` + You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + >[!WARNING] + >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. + >You can obtain a list of rules and their current state by using `Get-MpPreference` -### Use MDM CSPs to enable attack surface reduction rules +3. To exclude files and folders from ASR rules, use the following cmdlet: -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. + ```PowerShell + Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" + ``` + + Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. + + >[!IMPORTANT] + >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + +### Enable ASR rules with MDM CSPs + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. + +The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). + +OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules + +Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 + +The values to enable, disable, or enable in audit mode are: + +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. + +Example: + +OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions + +Value: c:\path|e:\path|c:\Whitelisted.exe + +>[!NOTE] +>Be sure to enter OMA-URI values without spaces. ## Related topics - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Customize attack surface reduction](customize-attack-surface-reduction.md) - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 79fb8541bf..4f95d8c023 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 02/14/2019 --- # Enable controlled folder access @@ -20,7 +20,7 @@ ms.date: 10/02/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 70500e0307..69d9054c81 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 02/14/2019 --- # Enable exploit protection @@ -20,9 +20,9 @@ ms.date: 08/08/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. -Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. +Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. ## Enable and audit exploit protection diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index d147c77d43..ee0f20632d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 02/14/2019 --- # Enable network protection @@ -20,7 +20,7 @@ ms.date: 05/30/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 98835fdcfd..325b6119b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: justinha author: brianlic-msft -ms.date: 08/08/2018 +ms.date: 11/15/2018 --- # Enable virtualization-based protection of code integrity @@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy](images\enable-hvci-gp.png) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index a143ed81a3..290fbdaae4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Evaluate attack surface reduction rules @@ -22,164 +22,14 @@ ms.date: 10/02/2018 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how attack surface reduction rules work - -Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule. - -When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. - -![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png) - -Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. - ->[!IMPORTANT] ->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). - -**Run a rule using the demo tool:** - -1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). - -2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - - - >[!IMPORTANT] - >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10. - -3. Select the rule from the drop-down menu. - -4. Select the mode, **Disabled**, **Block**, or **Audit**. - 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**. - -5. Click **RunScenario**. - -The scenario will run, and an output will appear describing the steps taken. - -You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer. - ->[!TIP] ->You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. - - -Choosing the **Mode** will change how the rule functions: - -Mode option | Description --|- -Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all. -Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules. -Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer. - -Block mode will cause a notification to appear on the user's desktop: - -![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png) - -You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk. - -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - -The following sections describe what each rule does and what the scenarios entail for each rule. - -### Rule: Block executable content from email client and webmail - -This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail. - -The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule: - -Scenario name | File type | Program -- | - | - -Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail -Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook -Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook -Mail Client Script Archive | Script archive files | Microsoft Outlook -WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail -WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail -WebMail Script Archive | Script archive files | Web mail - - -### Rule: Block Office applications from creating child processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. - -### Rule: Block Office applications from creating executable content - -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique. - -The following scenarios can be individually chosen: - -- Random - - A scenario will be randomly chosen from this list -- Extension Block - - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - -### Rule: Block Office applications from injecting into other processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - -### Rule: Impede JavaScript and VBScript to launch executables - -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - -- Random - - A scenario will be randomly chosen from this list -- JScript - - JavaScript will not be allowed to launch executable files -- VBScript - - VBScript will not be allowed to launch executable files - -### Rule: Block execution of potentially obfuscated scripts - -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. - -- Random - - A scenario will be randomly chosen from this list -- AntiMalwareScanInterface - - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script -- OnAccess - - Potentially obfuscated scripts will be blocked when an attempt is made to access them - - -## Review Attack surface reduction events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Attack surface reduction: - -Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - ## Use audit mode to measure impact -You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. +You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. @@ -189,17 +39,17 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` -This enables all Attack surface reduction rules in audit mode. +This enables all attack surface reduction rules in audit mode. >[!TIP] ->If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). ## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. -See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. +See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index f30804cbd0..3357f3a4fc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Evaluate controlled folder access @@ -24,70 +24,11 @@ ms.date: 10/02/2018 It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md). +This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how controlled folder access works - -Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. - -You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access: - ```PowerShell - Set-MpPreference -EnableControlledFolderAccess Enabled - ``` - -4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop). - -5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - -6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. - - ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png) - -7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example: - - ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png) - -## Review controlled folder access events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Controlled folder access: - -Event ID | Description --|- -5007 | Event when settings are changed -1124 | Audited controlled folder access event -1123 | Blocked controlled folder access event -1127 | Blocked controlled folder access sector write block event -1128 | Audited controlled folder access sector write block event - - ## Use audit mode to measure impact You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 1d7efe7b59..ec8690b50d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 11/16/2018 --- # Evaluate exploit protection @@ -26,75 +26,9 @@ Many of the features that are part of the [Enhanced Mitigation Experience Toolki This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md). - >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Enable and validate an exploit protection mitigation - -For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. - -First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app: - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** - -2. Enter the following cmdlet: - - ```PowerShell - Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation - ``` - -3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**. - -Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user: - -1. Type **run** in the Start menu and press **Enter** to open the run dialog box. - -2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer. - -3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process). - -Lastly, we can disable the mitigation so that Internet Explorer works properly again: - -1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply** - -5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. - -## Review exploit protection events in Windows Event Viewer - -You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - -4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the events related to exploit protection. - -6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: - - Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. - ## Use audit mode to measure impact You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 995cbaeb50..9c5516c1de 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/16/2018 --- # Evaluate network protection @@ -39,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui Set-MpPreference -EnableNetworkProtection Enabled ``` -You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`. +You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled". ### Visit a (fake) malicious domain diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 5f32c57193..fc9d4153fb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. -The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. +The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. ### Import an existing XML custom view -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views: +1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml): - Controlled folder access events custom view: *cfa-events.xml* - Exploit protection events custom view: *ep-events.xml* - Attack surface reduction events custom view: *asr-events.xml* @@ -144,30 +144,30 @@ You can access these events in Windows Event viewer: Feature | Provider/source | Event ID | Description :-|:-|:-:|:- -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 2 | ACG enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 4 | Do not allow child processes block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 6 | Block low integrity images block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 8 | Block remote images block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 10 | Disable win32k system calls block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 12 | Code integrity guard block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 13 | EAF audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 14 | EAF enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 15 | EAF+ audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 16 | EAF+ enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 17 | IAF audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 18 | IAF enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 19 | ROP StackPivot audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 20 | ROP StackPivot enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 21 | ROP CallerCheck audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 22 | ROP CallerCheck enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 23 | ROP SimExec audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP SimExec enforce Exploit protection | WER-Diagnostics | 5 | CFG Block Exploit protection | Win32K (Operational) | 260 | Untrusted Font Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed @@ -180,4 +180,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode -Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode \ No newline at end of file +Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 7fb3984ab2..e84b78a8a0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/29/2018 --- # Protect devices from exploits @@ -22,10 +22,10 @@ ms.date: 08/09/2018 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index b1e742ac1b..78f14e5a59 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 02/14/2019 --- # Protect your network @@ -24,8 +24,10 @@ Network protection helps reduce the attack surface of your devices from Internet It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). +Network protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. + >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). @@ -69,7 +71,7 @@ You can review the Windows event log to see events that are created when network 1125 | Event when network protection fires in audit mode 1126 | Event when network protection fires in block mode - ## In this section + ## Related topics Topic | Description ---|--- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 1eb3ac9b72..640fe4cc29 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -33,9 +33,9 @@ The following tables provide more information about the hardware, firmware, and |--------------------------------|----------------------------------------------------|-------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | | Hardware: **CPU virtualization extensions**,
      plus **extended page tables** | These hardware features are required for VBS:
      One of the following virtualization extensions:
      • VT-x (Intel) or
      • AMD-V
      And:
      • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://docs.microsoft.com/windows-hardware/design/compatibility/filter#filterdriverdeviceguarddrivercompatibility).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

      Important:
      Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

      | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | > **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. @@ -58,7 +58,7 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby)
      • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
      • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
      • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
      • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
      • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
      • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 5711270ae7..46df2bf21d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/18/2018 --- # Troubleshoot attack surface reduction rules @@ -40,7 +39,7 @@ Attack surface reduction rules will only work on devices with the following cond > - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. @@ -61,7 +60,7 @@ Follow the instructions in [Use the demo tool to see how attack surface reductio Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run. -1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). 3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index ef1582c6fa..660b1b518c 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -16,7 +16,10 @@ ms.date: 1/26/2018 - Windows 10 - Windows 10 Mobile -Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. +Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. + +See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. + ## Group Policy settings SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md new file mode 100644 index 0000000000..7531187507 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -0,0 +1,83 @@ +--- +title: How a hardware-based root of trust helps protect Windows 10 (Windows 10) +description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: justinha +ms.date: 02/14/2019 +--- + + +# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 + +In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. + +Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: + +- Protect and maintain the integrity of the system as it starts up +- Validate that system integrity has truly been maintained through local and remote attestation + +## Maintaining the integrity of the system as it starts + +### Static Root of Trust for Measurement (SRTM) + +With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. +This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. + +With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. +This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). +This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). + +As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. +Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist). +Each option has a drawback: + +- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. +- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. +In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy. + +### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) + +Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). +DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. +This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. + + +![System Guard Secure Launch](images/system-guard-secure-launch.png) + +Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. + +### System Management Mode (SMM) protection + +System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. +Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. +SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if DRTM is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. +To defend against this, two techniques are used: + +1. Paging protection to prevent inappropriate access to code and data +2. SMM hardware supervision and attestation + +Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. +This prevents access to any memory that has not been specifically assigned. + +A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. + +SMM protection is built on top of the Secure Launch technology and requires it to function. +In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. + +## Validating platform integrity after Windows is running (run time) + +While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. + +As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. + + +![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) + +After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. + diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png new file mode 100644 index 0000000000..dda2271807 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png new file mode 100644 index 0000000000..ccdf5070d3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png new file mode 100644 index 0000000000..8a82cab356 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png new file mode 100644 index 0000000000..99e8cb1384 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png new file mode 100644 index 0000000000..99e8cb1384 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png b/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png new file mode 100644 index 0000000000..8707d0fba4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png new file mode 100644 index 0000000000..1761e2e539 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png new file mode 100644 index 0000000000..fbd6a798b0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png new file mode 100644 index 0000000000..865af86b19 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md new file mode 100644 index 0000000000..6b0f8c4ebd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -0,0 +1,66 @@ +--- +title: System Guard Secure Launch and SMM protection (Windows 10) +description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices. +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: justinha +ms.date: 02/14/2019 +--- + +# System Guard Secure Launch and SMM protection + +This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices. + +## How to enable System Guard Secure Launch + +You can enable System Guard Secure Launch by using any of these options: + +- [Mobile Device Management (MDM)](#mobile-device-management) +- [Group Policy](#group-policy) +- [Windows Security app](#windows-security-app) +- [Registry](#registry) + +### Mobile Device Management + +System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch). + +### Group Policy + +1. Click **Start** > type and then click **Edit group policy**. +2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. + +![Secure Launch Group Policy](images/secure-launch-group-policy.png) + +### Windows Security app + +Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. + +![Secure Launch Security App](images/secure-launch-security-app.png) + +### Registry + +1. Open Registry editor. +2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**. +3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**. +4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**. +5. Double-click **Enabled**, change the value to **1**, and click **OK**. + +![Secure Launch Registry](images/secure-launch-registry.png) + +## How to verify System Guard Secure Launch is configured and running + +To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. + +![Secure Launch Security App](images/secure-launch-msinfo.png) + + + + + + + + diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 6c8ae105ee..1655e466e9 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -4,6 +4,4 @@ ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) - - +## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) \ No newline at end of file diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 34346b0e9c..12dd2d0312 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "trudyha", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/whats-new/images/Defender.png b/windows/whats-new/images/Defender.png index a99f5992a0..1d14812242 100644 Binary files a/windows/whats-new/images/Defender.png and b/windows/whats-new/images/Defender.png differ diff --git a/windows/whats-new/images/WebSignIn.png b/windows/whats-new/images/WebSignIn.png index 4afa324aec..1a2c0ed270 100644 Binary files a/windows/whats-new/images/WebSignIn.png and b/windows/whats-new/images/WebSignIn.png differ diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png index 8fd800dcfa..f5fd5287bc 100644 Binary files a/windows/whats-new/images/virus-and-threat-protection.png and b/windows/whats-new/images/virus-and-threat-protection.png differ diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png new file mode 100644 index 0000000000..79410f493f Binary files /dev/null and b/windows/whats-new/images/wdatp.png differ diff --git a/windows/whats-new/images/windows-defender-atp.png b/windows/whats-new/images/windows-defender-atp.png new file mode 100644 index 0000000000..938ac2c72d Binary files /dev/null and b/windows/whats-new/images/windows-defender-atp.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 12fae68091..47357b364c 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -35,7 +35,9 @@ Windows 10 provides IT professionals with advanced protection against modern sec - [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) +## See also +[Windows 10 Enterprise LTSC](ltsc/index.md)     diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md new file mode 100644 index 0000000000..6dfee34a97 --- /dev/null +++ b/windows/whats-new/ltsc/TOC.md @@ -0,0 +1,4 @@ +# [Windows 10 Enterprise LTSC](index.md) +## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md) +## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md) +## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) \ No newline at end of file diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md new file mode 100644 index 0000000000..df4bb4d4b9 --- /dev/null +++ b/windows/whats-new/ltsc/index.md @@ -0,0 +1,49 @@ +--- +title: Windows 10 Enterprise LTSC +description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.date: 12/27/2018 +ms.localizationpriority: low +--- + +# Windows 10 Enterprise LTSC + +**Applies to** +- Windows 10 Enterprise LTSC + +## In this topic + +This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. + +[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
      +[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
      +[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) + +## The Long Term Servicing Channel (LTSC) + +The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. + +| LTSC release | Equivalent SAC release | Availability date | +| --- | --- | --- | +| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | +| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | +| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | + +>[!NOTE] +>The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. + +With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. + +>[!IMPORTANT] +>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). + +For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview.md). + +## See Also + +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
      +[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option. \ No newline at end of file diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md new file mode 100644 index 0000000000..ce85311efd --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -0,0 +1,294 @@ +--- +title: What's new in Windows 10 Enterprise 2015 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2015 LTSC + +**Applies to** +- Windows 10 Enterprise 2015 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). + +## Deployment + +### Provisioning devices using Windows Imaging and Configuration Designer (ICD) + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) + +## Security + +### Applocker + +Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. + +Enhancements to Applocker in Windows 10 include: + +- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). + +[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). + +### Bitlocker + +Enhancements to Applocker in Windows 10 include: + +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. +- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." + +[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). + +### Certificate management + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +In Windows 10, security auditing has added some improvements: +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) + +#### New audit subcategories + +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. + Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + +#### More info added to existing audit events + +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +- [Changed the kernel default audit policy](#bkmk-kdal) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) +- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the process creation event](#bkmk-logon) +- [Added new Security Account Manager events](#bkmk-sam) +- [Added new BCD events](#bkmk-bcd) +- [Added new PNP events](#bkmk-pnp) + +#### Changed the kernel default audit policy + +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. + +#### Added a default process SACL to LSASS.exe + +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This can help identify attacks that steal credentials from the memory of a process. + +#### New fields in the logon event + +The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +1. **MachineLogon** String: yes or no + If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. +2. **ElevatedToken** String: yes or no + If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. +3. **TargetOutboundUserName** String + **TargetOutboundUserDomain** String + The username and domain of the identity that was created by the LogonUser method for outbound traffic. +4. **VirtualAccount** String: yes or no + If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. +5. **GroupMembership** String + A list of all of the groups in the user's token. +6. **RestrictedAdminMode** String: yes or no + If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. + For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + +#### New fields in the process creation event + +The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +1. **TargetUserSid** String + The SID of the target principal. +2. **TargetUserName** String + The account name of the target user. +3. **TargetDomainName** String + The domain of the target user.. +4. **TargetLogonId** String + The logon ID of the target user. +5. **ParentProcessName** String + The name of the creator process. +6. **ParentProcessId** String + A pointer to the actual parent process if it's different from the creator process. + +#### New Security Account Manager events + +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +- SamrEnumerateGroupsInDomain +- SamrEnumerateUsersInDomain +- SamrEnumerateAliasesInDomain +- SamrGetAliasMembership +- SamrLookupNamesInDomain +- SamrLookupIdsInDomain +- SamrQueryInformationUser +- SamrQueryInformationGroup +- SamrQueryInformationUserAlias +- SamrGetMembersInGroup +- SamrGetMembersInAlias +- SamrGetUserDomainPasswordInformation + +#### New BCD events + +Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): +- DEP/NEX settings +- Test signing +- PCAT SB simulation +- Debug +- Boot debug +- Integrity Services +- Disable Winload debugging menu + +#### New PNP events + +Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. + +[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). + +### Trusted Platform Module + +#### New TPM features in Windows 10 + +The following sections describe the new and changed functionality in the TPM for Windows 10: +- [Device health attestation](#bkmk-dha) +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support +- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support + +### Device health attestation + +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Some things that you can check on the device are: +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? + +> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). + +### User Account Control + +User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. + +You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. + +For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). + +In Windows 10, User Account Control has added some improvements: + +- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. + +[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). + +### VPN profile options + +Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: + +- Always-on auto connection behavior +- App=triggered VPN +- VPN traffic filters +- Lock down VPN +- Integration with Microsoft Passport for Work + +[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + + > **Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). + +  +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. +- A portable device that drivers can use to check a route on a map. +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +### Customized Start layout + +A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). + +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). + +## Updates + +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. + +By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: + +- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). + +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. + +- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). + +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). + + +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). + +## Microsoft Edge + +Microsoft Edge is not available in the LTSC release of Windows 10. + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md new file mode 100644 index 0000000000..1058f0c9b3 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -0,0 +1,174 @@ +--- +title: What's new in Windows 10 Enterprise 2016 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2016 LTSC + +**Applies to** +- Windows 10 Enterprise 2016 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. + +## Deployment + +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + +[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Windows Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. + +[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +## Security + +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. + + +[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) + +### Bitlocker + +#### New Bitlocker features + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Security auditing + +#### New Security auditing features + +- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +#### New TPM features + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). + +### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) + +### Windows Defender + +Several new features and management options have been added to Windows Defender in this version of Windows 10. + +- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. + +### Windows Defender Advanced Threat Protection (ATP) + +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +### VPN security + +- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. + +## Management + +### Use Remote Desktop Connection for PCs joined to Azure Active Directory + +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). + +### Shared PC mode + +This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) + +### Application Virtualization (App-V) for Windows 10 + +Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. + +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. + +[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) + +### User Experience Virtualization (UE-V) for Windows 10 + +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. + +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. + +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. + +[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md new file mode 100644 index 0000000000..94f4540a5d --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -0,0 +1,659 @@ +--- +title: What's new in Windows 10 Enterprise 2019 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2019 LTSC + +**Applies to** +- Windows 10 Enterprise 2019 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. + +Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: + - Advanced protection against modern security threats + - Full flexibility of OS deployment + - Updating and support options + - Comprehensive device and app management and control capabilities + +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. + +>[!IMPORTANT] +>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +## Microsoft Intune + +>Microsoft Intune supports LTSC 2019 and later. + + + +## Security + +This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. + +### Threat protection + +#### Windows Defender ATP + +The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. + +![Windows Defender ATP](../images/wdatp.png) + +##### Attack surface reduction + +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). + - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +###### Windows Defender Firewall + +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +###### Windows Defender Application Guard + +Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](https://docs.microsoft.com/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview). + +Windows Defender Application Guard has support for Edge and has extensions for Chrome and Firefox. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) + +Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security Center. + +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: + +1. Go to **Windows Security** and select **App & browser control**. +2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. +3. Select **Change Application Guard** settings. +4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](../images/1_AppBrowser.png "app and browser control") +![Isolated browser](../images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](../images/3_ChangeSettings.png "change settings") +![view WDAG settings](../images/4_ViewSettings.jpg "view settings") + +##### Windows Defender Device Guard + +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: +- Software-based protection provided by code integrity policies +- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) + +But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). + +### Next-gen protection + +#### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +### Endpoint detection and response + +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. + + Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: + - [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) + - [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) + - [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) + - [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) + - [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: + - [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) + - [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) + - [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: + - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: + - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + +Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + +Other enhanced security features include: +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +You can read more about ransomware mitigations and detection capability at: +- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) +- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + +### Information protection + +Improvements have been added to Windows Information Protection and BitLocker. + +#### Windows Information Protection + +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). + +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### BitLocker + +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +To achieve this: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +### Identity protection + +Improvements have been added are to Windows Hello for Business and Credential Guard. + +#### Windows Hello for Business + +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. + +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). + +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +#### Windows Defender Credential Guard + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. + +For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). + +### Other security improvments + +#### Windows security baselines + +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +#### SMBLoris vulnerability + +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. + +#### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](../images/defender.png "Windows Security Center") + +#### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +#### Windows 10 in S mode + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. + +Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. + +Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. + +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). + +#### Windows Autopilot self-deploying mode + +Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. + +This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). + + +#### Autopilot Reset + +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). + +## Sign-in + +### Faster sign-in to a Windows 10 shared pc + +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc.md) in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](../images/fastsignin.png "fast sign-in") + +### Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + +![Web sign-in](../images/websignin.png "web sign-in") + +## Deployment + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). + +### Windows Autopilot + +Information about Windows Autopilot support for LTSC 2019 is pending. + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +## Windows Analytics + +### Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). + +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). + +### Device Health + +Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Configuration + +### Kiosk configuration + +Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. + +If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](../images/bulk-token.png) + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) + +### Start and taskbar layout + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). + +[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + +## Windows Update + +### Windows Update for Business + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). + +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). + + +### Optimize update delivery + +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) + +### Uninstalled in-box apps no longer automatically reinstall + +Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. + +Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. + +## Management + +### New MDM capabilities + +Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). + +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) + +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) +- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) + +### Group Policy spreadsheet + +Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. + +- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) + +### Mixed Reality Apps + +This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). + +## Networking + +### Network stack + +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). + +### Miracast over Infrastructure + +In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +How it works: + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + +Enabling Miracast over Infrastructure: + +If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. + +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index effaa35bd4..622cbcdd98 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -234,4 +234,4 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
      [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
      [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. -[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/) + diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 64fcbb7821..de8365b010 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -5,14 +5,13 @@ keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Up ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dawnwood -ms.date: 10/02/2018 +author: greg-lindsay ms.localizationpriority: high --- # What's new in Windows 10, version 1809 for IT Pros ->Applies To: Windows 10, version 1809, also known as Windows 10 October 2018 Update +>Applies To: Windows 10, version 1809 In this article we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. @@ -20,32 +19,11 @@ The following 3-minute video summarizes some of the new features that are availa   - - - > [!video https://www.youtube.com/embed/hAva4B-wsVA] -## Your Phone app +## Deployment -Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. - -For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. - -![your phone](images/your-phone.png "your phone") - -The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. - -## Wireless projection experience - -One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: - -* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible -* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly -* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. - -![wireless projection banner](images/beaming.png "wireless projection banner") - -## Windows Autopilot self-deploying mode +### Windows Autopilot self-deploying mode Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. @@ -55,64 +33,15 @@ You can utilize Windows Autopilot self-deploying mode to register the device to To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). -## Kiosk setup experience +### SetupDiag -We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. +[SetupDiag](/windows/deployment/upgrade/setupdiag.md) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. -To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. - -![set up a kiosk](images/kiosk-mode.png "set up a kiosk") - -Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. - -1.__Digital / Interactive signage__ that displays a specific website full-screen and runs InPrivate mode. -2.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. - -![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") - -Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. - ->[!NOTE] ->The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. - -1.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. - -![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") - -2.__Normal mode__ runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. - -![normal mode](images/Normal_inFrame.png "normal mode") - -Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") - -## Remote Desktop with Biometrics - -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -![Enter your credentials](images/RDPwBioTime.png "Windows Hello") - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click __Connect__. - -Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click __More choices__ to choose alternate credentials. - -![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") - -In this example, Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - -![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") - -## Security Improvements +## Security We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") - + ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -124,8 +53,6 @@ We’re continuing to work on how other security apps you’ve installed show up This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). -
      HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1
      - ### BitLocker #### Silent enforcement on fixed drives @@ -138,24 +65,36 @@ This feature will soon be enabled on Olympia Corp as an optional feature. #### Delivering BitLocker policy to AutoPilot devices during OOBE -You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. +You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. +To achieve this: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + ### Windows Defender Application Guard Improvements Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. -Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: -To try this, 1. Go to**Windows Security** and select **App & browser control**. -![Security at a glance](images/1_AppBrowser.png "app and browser control") 2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. -![Isolated browser](images/2_InstallWDAG.png "isolated browsing") 3. Select **Change Application Guard** settings. -![change WDAG settings](images/3_ChangeSettings.png "change settings") 4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](images/1_AppBrowser.png "app and browser control") +![Isolated browser](images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](images/3_ChangeSettings.png "change settings") ![view WDAG settings](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -215,6 +154,42 @@ Windows Defender ATP now adds support for Windows Server 2019. You'll be able to - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
      Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor +## Kiosk setup experience + +We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. + +To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + +![set up a kiosk](images/kiosk-mode.png "set up a kiosk") + +Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. + +1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. + +![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") + +Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. + +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. + +**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. + +![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") + +**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. + +![normal mode](images/Normal_inFrame.png "normal mode") + +Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") + ## Faster sign-in to a Windows 10 shared pc Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash! @@ -224,7 +199,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables 2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in. 3. Sign-in to a shared PC with your account. You'll notice the difference! -![fast sign-in](images/fastsignin.png "fast sign-in") + ![fast sign-in](images/fastsignin.png "fast sign-in") ## Web sign-in to Windows 10 @@ -236,4 +211,36 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Web sign-in](images/websignin.png "web sign-in") + ![Web sign-in](images/websignin.png "web sign-in") + +## Your Phone app + +Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. + +For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. + +![your phone](images/your-phone.png "your phone") + +The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. + +## Wireless projection experience + +One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: + +* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible +* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly +* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. + +![wireless projection banner](images/beaming.png "wireless projection banner") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") \ No newline at end of file