Merge branch 'master' into mdm-gp-storage-policies

windows/client-management/TOC.md

@@ -12,16 +12,19 @@
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
-### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
-### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
-### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
-### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
-### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md)
+#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
+#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
+#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
 ### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
 #### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
 #### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
 #### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
 #### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
+### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md)
+#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
+#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)

windows/client-management/mdm/bitlocker-csp.md

@@ -6,9 +6,8 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/31/2018
+ms.date: 12/06/2018
 ---
-
 # BitLocker CSP
 
 > [!WARNING]
@@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
 
-<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
+<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
 
 > [!Important]  
-> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices.  Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
 
 > [!Warning]
-> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
 
 <table>
 <tr>
@@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree
 </Replace>
 ```
 
+>[!NOTE]
+>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+>The endpoint for a fixed data drive's backup is chosen in the following order:
+  >1. The user's Windows Server Active Directory Domain Services account.
+  >2. The user's Azure Active Directory account.
+  >3. The user's personal OneDrive (MDM/MAM only).
+>
+>Encryption will wait until one of these three locations backs up successfully.
+
 <a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**  
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
 
@@ -854,7 +863,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
                      
 If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
 
-The expected values for this policy are: 
+The expected values for this policy are:
 
 - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
 - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -80,10 +80,10 @@ Query parameters:
     -   Bundle - returns installed bundle packages.
     -   Framework - returns installed framework packages.
     -   Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
-    -   XAP - returns XAP package types.
+    -   XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. 
     -   All - returns all package types.
 
-    If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned.
+    If no value is specified, the combination of Main, Bundle, and Framework are returned.
 
 -   PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
 

windows/client-management/mdm/index.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: jdeckerms
-ms.date: 09/12/2018
+ms.date: 10/09/2018
 ---
 
 # Mobile device management
@@ -23,12 +23,15 @@ There are two parts to the Windows 10 management component:
 -   The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
 -   The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
 
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
 
 ## MDM security baseline
 
 With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
 
+>[!NOTE]
+>Intune support for the MDM security baseline is coming soon.
+
 The MDM security baseline includes policies that cover the following areas:
 
 - Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
@@ -38,7 +41,7 @@ The MDM security baseline includes policies that cover the following areas:
 - Legacy technology policies that offer alternative solutions with modern technology
 - And much more
 
-For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/).
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip).
 
 
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 09/20/2018
+ms.date: 12/06/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1760,6 +1760,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### December 2018
+
+|New or updated topic | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
+
 ### September 2018
 
 |New or updated topic | Description|

windows/client-management/mdm/policy-csp-bluetooth.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/30/2018
+ms.date: 11/15/2018
 ---
 
 # Policy CSP - Bluetooth
@@ -352,15 +352,21 @@ Footnote:
 
 ## ServicesAllowedList usage guide
 
-When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
+When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
 
-To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
+- Disabling a service shall block incoming and outgoing connections for such services
+- Disabling a service shall not publish an SDP record containing the service being blocked
+- Disabling a service shall not allow SDP to expose a record for a blocked service
+- Disabling a service shall log when a service is blocked for auditing purposes
+- Disabling a service shall take effect upon reload of the stack or system reboot
+
+To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
 
 These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
 
 Here are some examples:
 
-**Bluetooth Headsets for Voice (HFP)**
+**Example of how to enable Hands Free Profile (HFP)**
 
 BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
@@ -370,8 +376,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
 Footnote: * Used as both Service Class Identifier and Profile Identifier.
 
-Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
+Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB
 
+**Allow Audio Headsets (Voice)**
+
+|Profile|Reasoning|UUID|
+|-|-|-|
+|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E|
+|Generic Audio Service|Generic audio service|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|PnP Information|Used to identify devices occasionally|0x1200|
+
+This means that if you only want Bluetooth headsets, the UUIDs to include are:
+
+{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
+
+<!--
 **Allow Audio Headsets only (Voice)**
 
 |Profile  |Reasoning  |UUID  |
@@ -386,38 +406,38 @@ Footnote: * *GAP, DID, and Scan Parameter are required, as these are underlying
 This means that if you only want Bluetooth headsets, the UUIDs are:
 
 {0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+-->
 
 **Allow Audio Headsets and Speakers (Voice & Music)**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HFP (Hands Free Profile)     |For voice enabled headsets         |0x111E         |
-|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110A         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110B|         
+|Generic Audio Service|Generic service used by Bluetooth|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|AV Remote Control Target Service|For controlling audio remotely|0x110C|
+|AV Remote Control Service|For controlling audio remotely|0x110E|
+|AV Remote Control Controller Service|For controlling audio remotely|0x110F|
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; 
 
 **Classic Keyboards and Mice**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HID (Human Interface Device)     |For classic BR/EDR keyboards and mice         |0x1124         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
 
-> [!Note]  
-> For both Classic and LE use a super set of the two formula’s UUIDs
 
 **LE Keyboards and Mice**  
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
-|Generic Access Atribute     |For the LE Protocol         |0x1801         |
+|Generic Access Attribute     |For the LE Protocol         |0x1801         |
 |HID Over GATT *     |For LE keyboards and mice         |0x1812         |
 |GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
 |DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
@@ -433,10 +453,12 @@ Footnote: * The Surface pen uses the HID over GATT profile
 |---------|---------|---------|
 |OBEX Object Push (OPP)     |For file transfer         |0x1105         |
 |Object Exchange (OBEX)     |Protocol for file transfer         |0x0008         |
-|Generic Access Profile (GAP)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
-
-{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+|PnP Information|Used to identify devices occasionally|0x1200|
 
+{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
 
+Disabling file transfer shall have the following effects
+- Fsquirt shall not allow sending of files
+- Fsquirt shall not allow receiving of files
+- Fsquirt shall display error message informing user of policy preventing file transfer
+- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -463,10 +463,13 @@ If you disable or do not configure this policy setting, devices can be installed
 
 For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
 
-To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
+You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives:
 
-![Hardware IDs](images/hardware-ids.png)
+![Disk drives](images/device-manager-disk-drives.png)
 
+Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**: 
+
+![Hardware IDs](images/disk-drive-hardware-id.png)
 
 <!--/Description-->
 > [!TIP]

windows/client-management/troubleshoot-inaccessible-boot-device.md

@@ -0,0 +1,280 @@
+---
+title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
+description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/11/2018
+---
+
+# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
+
+This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
+
+##  Causes of the  Inaccessible_Boot_Device  Stop error
+
+Any one of the following factors may cause the stop error:
+
+*	Missing, corrupted, or misbehaving filter drivers that are related to the storage stack
+
+*	File system corruption
+
+*	Changes to the storage controller mode or settings in the BIOS 
+
+*	Using a different storage controller than the one that was used when Windows was installed
+
+*	Moving the hard disk to a different computer that has a different controller
+
+*	A faulty motherboard or storage controller, or faulty hardware 
+
+*	In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions
+
+*	Corrupted files in the **Boot**  partition (for example, corruption in the volume that is labeled **SYSTEM**  when you run the `diskpart`  > `list vol`  command)
+
+##  Troubleshoot this error
+
+Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
+
+1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088).
+
+2. On the **Install Windows**  screen, select **Next**  > **Repair your computer** .
+
+3. On the **System Recovery Options**  screen, select **Next**  > **Command Prompt** .
+
+###  Verify that the boot disk is connected and accessible
+
+####  Step 1
+
+ At the WinRE Command prompt, run `diskpart`, and then run `list disk`.
+
+A list of the physical disks that are attached to the computer should be displayed and resemble the following display:
+
+```
+  Disk ###  Status         Size     Free     Dyn  Gpt
+
+  --------  -------------  -------  -------  ---  ---
+
+  Disk 0    Online         **size*  GB      0 B        *
+``` 
+
+If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT**  column.
+
+If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn**  column.
+
+####  Step 2
+
+If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`.
+
+`list vol` generates an output that resembles the following display:
+
+```
+  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
+
+  ----------  ---  -----------  -----  ----------  -------  ---------  --------
+
+  Volume 0         Windows RE   NTFS   Partition    499 MB  Healthy
+
+  Volume 1     C   OSDisk       NTFS   Partition    222 GB  Healthy    Boot
+
+  Volume 2         SYSTEM       FAT32  Partition    499 MB  Healthy    System
+```
+
+>[!NOTE]
+>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer.
+
+###  Verify the integrity of Boot Configuration Database
+
+Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt.
+
+To verify the BCD entries:
+
+1.	Examine the **Windows Boot Manager**  section that has the **{bootmgr}** identifier. Make sure that the **device**  and **path**  entries point to the correct device and boot loader file.
+ 
+    An example output if the computer is UEFI-based:
+    
+    ```
+    device                  partition=\Device\HarddiskVolume2
+    path                    \EFI\Microsoft\Boot\bootmgfw.efi
+    ```
+
+    An example output if the machine is BIOS based:
+    ```
+    Device                partition=C:
+    ```
+    >[!NOTE]
+    >This output may not contain a path.
+
+2.	In the **Windows Boot Loader**  that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,**  and **systemroot**  point to the correct device or partition, winload file, OS partition or device, and OS folder.
+ 
+    >[!NOTE]
+    >If the computer is UEFI-based, the **bootmgr**  and **winload**  entires under **{default}**  will contain an **.efi**  extension.
+
+ ![bcdedit](images/screenshot1.png)
+
+If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** .
+
+After the backup is completed, run the following command to make the changes:
+
+<pre>bcdedit /set *{identifier}* option value</pre>
+
+For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:`
+
+ If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
+
+If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit**  command. By default, **bootmgr**  in the BIOS partition will be in the root of the **SYSTEM**  partition. To see the file, run `Attrib -s -h -r`.
+
+If the files are missing, and you want to rebuild the boot files, follow these steps:
+
+1.	Copy all the contents under the **SYSTEM**  partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM**  volume, as follows:
+
+```
+D:\> Mkdir  BootBackup
+R:\> Copy *.* D:\BootBackup 
+```
+
+2.	If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot**  command to re-create the boot files, as follows:
+
+    ```cmd
+    Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
+    ```
+
+    For example: if we assign the ,System Drive> (WinRE drive) the letter R and the <OSdrive> is the letter D, this command would be the following:
+
+    ```cmd
+    Bcdboot D:\windows /s R: /f ALL
+    ```
+
+    >[!NOTE]
+    >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations.
+
+If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr**  from another working computer that has a similar Windows build. To do this, follow these steps:
+
+1.	Start **Notepad** .
+
+2.	Press Ctrl+O.
+
+3.	Navigate to the system partition (in this example, it is R).
+
+4.	Right-click the partition, and then format it.
+
+###  Troubleshooting if this issue occurs after a Windows Update installation
+
+Run the following command to verify the Windows update installation and dates:
+
+```cmd
+Dism /Image:<Specify the OS drive>: /Get-packages
+```
+
+After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages:
+
+![Dism output](images/pendingupdate.png)
+
+1.	Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
+
+    ![Dism output](images/revertpending.png)
+
+2.	Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml**  file exists. If it does, rename it to **pending.xml.old**.
+
+3.	To revert the registry changes, type **regedit**  at the command prompt to open **Registry Editor**.
+
+4.	Select **HKEY_LOCAL_MACHINE**, and then go to **File**  > **Load Hive**.
+
+5.	Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive
+    
+    ![Load Hive](images/loadhive.png)
+
+6.	Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
+
+7.	Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File**  > **Unload hive**.
+
+    ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
+
+8.	Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive.
+
+9.	Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value.
+
+10.	If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default**  is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
+
+11.	 Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
+
+###  Verifying boot critical drivers and services
+
+####  Check services	
+
+1.	 Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
+
+2.	Expand **Services**.
+
+3.	Make sure that the following registry keys exist under **Services**: 
+
+    * ACPI
+
+    * DISK
+    
+    *	VOLMGR
+    
+    *	PARTMGR
+    
+    *	VOLSNAP
+    
+    *	VOLUME
+
+If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**.
+
+If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
+
+```cmd
+cd OSdrive:\Windows\System32\config
+ren SYSTEM SYSTEM.old
+copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
+```
+
+####  Check upper and lower filter drivers
+
+Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers:
+
+1.  Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**.
+
+2.	Look for any **UpperFilters** or **LowerFilters**  entries.
+
+    >[!NOTE]
+    >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**.
+
+ The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet**  and are designated as **Default** :
+
+\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} 
+
+\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318} 
+
+\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318} 
+
+\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
+
+![Registry](images/controlset.png) 
+
+If an **UpperFilters**  or **LowerFilters**  entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value.
+
+>[!NOTE]
+>There could be multiple entries.
+
+The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. 
+
+>[!NOTE]
+>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
+
+###  Running SFC and Chkdsk
+
+ If the computer still does not start, you can try to run a **chkdisk**  process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt:
+
+*	`chkdsk /f /r OsDrive:`
+
+    ![Check disk](images/check-disk.png)
+
+*	`sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
+
+    ![SFC scannow](images/sfc-scannow.png)
+

windows/client-management/troubleshoot-networking.md

@@ -0,0 +1,20 @@
+---
+title: Advanced troubleshooting for Windows networking issues
+description: Learn how to troubleshoot networking issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 
+---
+
+# Advanced troubleshooting for Windows networking issues
+
+In these topics, you will learn how to troubleshoot common problems related to Windows networking.
+
+- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md)
+- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md)
+- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md)

windows/client-management/troubleshoot-stop-errors.md

@@ -101,7 +101,7 @@ The memory dump file is saved at the following locations.
 
 You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: 
 
->[!video https://www.youtube.com/embed?v=xN7tOfgNKag]
+>[!video https://www.youtube.com/watch?v=xN7tOfgNKag&feature=youtu.be]
 
 
 More information on how to use Dumpchk.exe to check your dump files:

windows/client-management/troubleshoot-tcpip-connectivity.md

@@ -36,17 +36,17 @@ If the initial TCP handshake is failing because of packet drops then you would s
     
 Source side connecting on port 445:
 
-![](images/tcp-ts-6.png)
+![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
 
 Destination side: applying the same filter, you do not see any packets.
 
-![](images/tcp-ts-7.png)
+![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
 
 For the rest of the data, TCP will retransmit the packets 5 times.
 
 **Source 192.168.1.62 side trace:**
 
-![](images/tcp-ts-8.png)
+![Screenshot showing packet side trace](images/tcp-ts-8.png)
 
 **Destination 192.168.1.2 side trace:**
      
@@ -71,15 +71,15 @@ In the below screenshots, you see that the packets seen on the source and the de
     
 **Source Side**
 
-![](images/tcp-ts-9.png)
+![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
 
 **On the destination-side trace** 
 
-![](images/tcp-ts-10.png)
+![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
 
 You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.  
 
-![](images/tcp-ts-11.png)
+![Screenshot of packet flag](images/tcp-ts-11.png)
 
 The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. 
  
@@ -102,8 +102,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
  
 You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
 
-![](images/tcp-ts-12.png)
+![Screenshot of Event Properties](images/tcp-ts-12.png)
 
 Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
 
-![](images/tcp-ts-13.png)
+![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)

windows/client-management/troubleshoot-tcpip-port-exhaust.md

@@ -54,21 +54,21 @@ Specifically, about outbound connections as incoming connections will not requir
  
 Since outbound connections start to fail, you will see a lot of the below behaviors:
  
-- Unable to login to the machine with domain credentials, however login with local account works. Domain login will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain login might still work.
+- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
 
-    ![](images/tcp-ts-14.png)
+    ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
 
 - Group Policy update failures:
 
-    ![](images/tcp-ts-15.png)
+    ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
 
 - File shares are inaccessible:
 
-    ![](images/tcp-ts-16.png)
+    ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
 
 - RDP from the affected server fails:
 
-    ![](images/tcp-ts-17.png)
+    ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
 
 - Any other application running on the machine will start to give out errors
 
@@ -82,15 +82,15 @@ If you suspect that the machine is in a state of port exhaustion:
 
     a.	**Event ID 4227**
 
-    ![](images/tcp-ts-18.png)
+    ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
 
     b.	**Event ID 4231**
 
-    ![](images/tcp-ts-19.png)
+    ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
 
 3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
 
-    ![](images/tcp-ts-20.png)
+    ![Screenshot of netstate command output](images/tcp-ts-20.png)
 
 After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
  
@@ -132,7 +132,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
 1.	Add a column called “handles” under details/processes.
 2.	Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
 
-    ![](images/tcp-ts-21.png)
+    ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
 
 3.	If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
  
@@ -153,7 +153,7 @@ Steps to use Process explorer:
     
     File   \Device\AFD
 
-    ![](images/tcp-ts-22.png)
+    ![Screenshot of Process Explorer](images/tcp-ts-22.png)
 
 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
  

windows/client-management/troubleshoot-tcpip-rpc-errors.md

@@ -158,15 +158,15 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
 
 - Look for the “EPM” Protocol Under the “Protocol” column.
 
-- Now check if you are getting a response from the server or not, if you get a response note the Dynamic Port number that you have been allocated to use.
+- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
 
-    ![](images/tcp-ts-23.png)
+    ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
 
 - Check if we are connecting successfully to this Dynamic port successfully.
 
 - The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip> 
 
-    ![](images/tcp-ts-24.png)
+    ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
 
 This should help you verify the connectivity and isolate if any network issues are seen.
 
@@ -175,13 +175,13 @@ This should help you verify the connectivity and isolate if any network issues a
 
 The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
  
-![](images/tcp-ts-25.png)
+![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
  
 The port cannot be reachable due to one of the following reasons:
 
 - The dynamic port range is blocked on the firewall in the environment. 
 - A middle device is dropping the packets. 
-- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc)
+- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc).
 
 
 

windows/client-management/troubleshoot-windows-startup.md

@@ -0,0 +1,19 @@
+---
+title: Advanced troubleshooting for Windows start-up issues
+description: Learn how to troubleshoot Windows start-up issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 
+---
+
+# Advanced troubleshooting for Windows start-up issues
+
+In these topics, you will learn how to troubleshoot common problems related to Windows start-up.
+
+- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md)
+- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)