From bed8a22deacc46a70870185db9e9294e203f1650 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sun, 15 Mar 2020 16:13:40 +0100 Subject: [PATCH 01/14] Update about-app-v-51-reporting.md Added markdown for PowerShell code and Note. Converted one table to markdown style. --- mdop/appv-v5/about-app-v-51-reporting.md | 170 +++++++---------------- 1 file changed, 48 insertions(+), 122 deletions(-) diff --git a/mdop/appv-v5/about-app-v-51-reporting.md b/mdop/appv-v5/about-app-v-51-reporting.md index b37f88f1db..381a1231a7 100644 --- a/mdop/appv-v5/about-app-v-51-reporting.md +++ b/mdop/appv-v5/about-app-v-51-reporting.md @@ -16,36 +16,32 @@ ms.date: 08/30/2016 # About App-V 5.1 Reporting - Microsoft Application Virtualization (App-V) 5.1 includes a built-in reporting feature that helps you collect information about computers running the App-V 5.1 client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database. ## App-V 5.1 Reporting Overview - The following list displays the end–to-end high-level workflow for reporting in App-V 5.1. -1. The App-V 5.1 Reporting server has the following prerequisites: +1. The App-V 5.1 Reporting server has the following prerequisites: - - Internet Information Service (IIS) web server role + - Internet Information Service (IIS) web server role - - Windows Authentication role (under **IIS / Security**) + - Windows Authentication role (under **IIS / Security**) - - SQL Server installed and running with SQL Server Reporting Services (SSRS) + - SQL Server installed and running with SQL Server Reporting Services (SSRS) To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V 5.1 Reporting. The SQL Server Reporting Services Home page should display. -2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server. +2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server. -3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at . +3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined SSRS Reports from the [Download Center](https://go.microsoft.com/fwlink/?LinkId=397255). - **Note**   - If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1. + > [!NOTE] + > If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1. - +4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting: -4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting: - - ``` syntax + ```powershell Set-AppvClientConfiguration –reportingserverurl : -reportingenabled 1 – ReportingStartTime <0-23> - ReportingRandomDelay <#min> ``` @@ -53,18 +49,14 @@ The following list displays the end–to-end high-level workflow for reporting i For more information about installing the App-V 5.1 client with reporting enabled see [About Client Configuration Settings](about-client-configuration-settings51.md). To administer App-V 5.1 Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md). -5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client. +5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client. -6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space. +6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space. - **Note**   - By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache. + > [!NOTE] + > By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache. - - -~~~ If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache. -~~~ ### App-V 5.1 reporting server frequently asked questions @@ -121,52 +113,50 @@ The following table displays answers to common questions about App-V 5.1 reporti Note

Group Policy settings override local settings configured using PowerShell.

-
- - ## App-V 5.1 Client Reporting - To use App-V 5.1 reporting you must install and configure the App-V 5.1 client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md). The following section provides examples of App-V 5.1 client reporting configuration using PowerShell. ### Configuring App-V Client reporting using PowerShell The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client. -**Note** -The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md). - - +> [!NOTE] +> The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md). **To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**: -`Set-AppVClientConfiguration –ReportingEnabled 1` +```powershell +Set-AppVClientConfiguration –ReportingEnabled 1 +``` **To configure the client to automatically send data to a specific reporting server**: -``` syntax -Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 +```powershell +Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -ReportingInterval 1 -ReportingRandomDelay 30 ``` -`-ReportingInterval 1 -ReportingRandomDelay 30` - -This example configures the client to automatically send the reporting data to the reporting server URL http://MyReportingServer:MyPort/. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session. +This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session. **To limit the size of the data cache on the client**: -`Set-AppvClientConfiguration –ReportingDataCacheLimit 100` +```powershell +Set-AppvClientConfiguration –ReportingDataCacheLimit 100 +``` Configures the maximum size of the reporting cache on the computer running the App-V 5.1 client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary. **To configure the data block size transmitted across the network between the client and the server**: -`Set-AppvClientConfiguration –ReportingDataBlockSize 10240` +```powershell +Set-AppvClientConfiguration –ReportingDataBlockSize 10240 +``` Specifies the maximum data block that the client sends to 10240 MB. @@ -174,59 +164,15 @@ Specifies the maximum data block that the client sends to 10240 MB. The following table displays the types of information you can collect by using App-V 5.1 reporting. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Client InformationPackage InformationApplication Usage

Host Name

Package Name

Start and End Times

App-V 5.1 Client Version

Package Version

Run Status

Processor Architecture

Package Source

Shutdown State

Operating System Version

Percent Cached

Application Name

Service Pack Level

Application Version

Operating System Type

Username

Connection Group

- - +|Client Information |Package Information |Application Usage | +|---------|---------|---------| +|Host Name |Package Name|Start and End Times| +|App-V 5.1 Client Version |Package Version|Run Status| +|Processor Architecture |Package Source|Shutdown State| +|Operating System Version|Percent Cached|Application Name| +|Service Pack Level| |Application Version| +|Operating System Type| |Username| +| | |Connection Group| The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file. @@ -234,19 +180,17 @@ The client collects and saves this data in an **.xml** format. The data cache is You can configure the computer that is running the App-V 5.1 client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings: -- ReportingEnabled - -- ReportingServerURL - -- ReportingStartTime - -- ReportingInterval - -- ReportingRandomDelay +- ReportingEnabled +- ReportingServerURL +- ReportingStartTime +- ReportingInterval +- ReportingRandomDelay After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet: -`Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess` +```powershell +Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess +``` If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection. @@ -277,23 +221,20 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data. Note

If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.

-
- - ### Creating Reports To retrieve report information and create reports using App-V 5.1 you must use one of the following methods: -- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports. +- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports. Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://go.microsoft.com/fwlink/?LinkId=285596). -- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example: +- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example: **Stored Procedure:** @@ -303,25 +244,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o The stored procedure is also created when using the App-V 5.1 database scripts. -You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. - - - - - +You should also ensure that the reporting server web service's **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. ## Related topics - [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md) [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md) - - - - - - - - - From 53123ccf7f8b203df70c6e61e32c2fffab3470dc Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sun, 15 Mar 2020 16:23:42 +0100 Subject: [PATCH 02/14] Update how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md Added Note markdown. Removed characters that messed up the formatting. --- ...mputer-and-connect-it-to-the-database51.md | 47 ++++++------------- 1 file changed, 15 insertions(+), 32 deletions(-) diff --git a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md index 4d6223aabf..b74f0be3c2 100644 --- a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md +++ b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md @@ -16,63 +16,46 @@ ms.date: 06/16/2016 # How to install the Reporting Server on a Standalone Computer and Connect it to the Database - Use the following procedure to install the reporting server on a standalone computer and connect it to the database. -**Important** +**Important** Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md). +## To install the reporting server on a standalone computer and connect it to the database +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. -**To install the reporting server on a standalone computer and connect it to the database** +2. On the **Getting Started** page, review and accept the license terms, and click **Next**. -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. +3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**. -2. On the **Getting Started** page, review and accept the license terms, and click **Next**. +4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**. +5. On the **Installation Location** page, accept the default location and click **Next**. -4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**. +6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**. -5. On the **Installation Location** page, accept the default location and click **Next**. + > [!NOTE] + > If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. -6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**. + For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance. - **Note** - If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. - - - -~~~ -For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance. - -Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**. -~~~ + Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**. 7. On the **Configure Reporting Server Configuration** page. - - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name. + - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name. - - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website. + - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website. 8. Click **Install**. - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [About App-V 5.1 Reporting](about-app-v-51-reporting.md) [Deploying App-V 5.1](deploying-app-v-51.md) [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md) - - - - - - - - - From 8158a5819a41638f8250bb1382a4801722557b73 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sun, 15 Mar 2020 16:51:34 +0100 Subject: [PATCH 03/14] Update app-v-51-planning-checklist.md Added markdown Note. Converted HTML table to markdown. --- mdop/appv-v5/app-v-51-planning-checklist.md | 87 +++------------------ 1 file changed, 11 insertions(+), 76 deletions(-) diff --git a/mdop/appv-v5/app-v-51-planning-checklist.md b/mdop/appv-v5/app-v-51-planning-checklist.md index 52ac3984ce..e1f8ef66b6 100644 --- a/mdop/appv-v5/app-v-51-planning-checklist.md +++ b/mdop/appv-v5/app-v-51-planning-checklist.md @@ -16,86 +16,21 @@ ms.date: 06/16/2016 # App-V 5.1 Planning Checklist - This checklist can be used to help you plan for preparing your computing environment for Microsoft Application Virtualization (App-V) 5.1 deployment. -**Note**   -This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use. - - - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReferencesNotes
Checklist box

Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.

Getting Started with App-V 5.1

Checklist box

Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.

App-V 5.1 Prerequisites

Checklist box

If you plan to use the App-V 5.1 management server, plan for the required roles.

Planning for the App-V 5.1 Server Deployment

Checklist box

Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.

Planning for the App-V 5.1 Sequencer and Client Deployment

Checklist box

If applicable, review the options and steps for migrating from a previous version of App-V.

Planning for Migrating from a Previous Version of App-V

Checklist box

Plan for running App-V 5.1 clients using in shared content store mode.

How to Install the App-V 5.1 Client for Shared Content Store Mode

- - - - - - +> [!NOTE] +> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use. +| |Task |References | +|-|-|-| +|![Checklist box](images/checklistbox.gif) |Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.|[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)| +|![Checklist box](images/checklistbox.gif) |Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.|[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)| +|![Checklist box](images/checklistbox.gif) |If you plan to use the App-V 5.1 management server, plan for the required roles.|[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)| +|![Checklist box](images/checklistbox.gif) |Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.|[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)| +|![Checklist box](images/checklistbox.gif) |If applicable, review the options and steps for migrating from a previous version of App-V.|[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)| +|![Checklist box](images/checklistbox.gif) |Plan for running App-V 5.1 clients using in shared content store mode.|[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)| +|![Checklist box](images/checklistbox.gif) | | | ## Related topics - [Planning for App-V 5.1](planning-for-app-v-51.md) - - - - - - - - - From d20a9e1a8b09b6d9e1537714b2b393c087c58724 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 16 Mar 2020 14:10:28 -0700 Subject: [PATCH 04/14] Delete duplicate sign policies page --- .../signing-policies-with-signtool.md | 91 ------------------- 1 file changed, 91 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md deleted file mode 100644 index 4d6bb94c8f..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10) -description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. -keywords: whitelisting, security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp -ms.date: 02/21/2018 ---- - -# Signing Windows Defender Application Control policies with SignTool.exe - -**Applies to:** - -- Windows 10 -- Windows Server 2016 - -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. -These policies are designed to prevent administrative tampering and kernel mode exploit access. -With this in mind, it is much more difficult to remove signed WDAC policies. -Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. - -Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. - -Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). - -To sign a WDAC policy with SignTool.exe, you need the following components: - -- SignTool.exe, found in the Windows SDK (Windows 7 or later) - -- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created - -- An internal CA code signing certificate or a purchased code signing certificate - -If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: - -1. Initialize the variables that will be used: - - `$CIPolicyPath=$env:userprofile+"\Desktop\"` - - `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - - `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` - - > [!NOTE] - > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. - -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). - -3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. - -4. Navigate to your desktop as the working directory: - - `cd $env:USERPROFILE\Desktop` - -5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - - `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - - > [!NOTE] - > \ should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. - -6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - - `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` - -7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - - `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` - -8. Sign the WDAC policy by using SignTool.exe: - - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` - - > [!NOTE] - > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. - -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). - From 513dd02925dda0952c9130cdaf396ef1472f9443 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 16 Mar 2020 14:15:39 -0700 Subject: [PATCH 05/14] Add redirect link for Signing WDAC policies page --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a4dfbd0f88..d109fd20f0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", +"redirect_document_id": true +}, +{ "source_path": "devices/hololens/hololens-whats-new.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes", "redirect_document_id": true From 8810c907000713b357667133ef0951ad81ae5560 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 16 Mar 2020 14:26:42 -0700 Subject: [PATCH 06/14] Add SecureBoot requirement info to signed policies docs --- ...indows-defender-application-control-against-tampering.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index edbac5d2b9..7386316a87 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -28,10 +28,8 @@ ms.date: 05/03/2018 - Windows Server 2016 -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. -These policies are designed to prevent administrative tampering and kernel mode exploit access. -With this in mind, it is much more difficult to remove signed WDAC policies. +Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. + Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. From 56b58add0d830004fc09f04d06be28de346a9b85 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Mon, 16 Mar 2020 15:32:28 -0700 Subject: [PATCH 07/14] Corrected Microsoft Endpoint Manager link Corrected link to point to https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager --- windows/deployment/update/update-compliance-wd-av-status.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 3fae8e0328..881410e578 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -18,7 +18,7 @@ ms.topic: article > [!IMPORTANT] -> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates. +> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. ![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) From 810f9340b38bf3f0b1ace054e5aa7f6af7a28790 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Mon, 16 Mar 2020 15:33:31 -0700 Subject: [PATCH 08/14] Corrected Microsoft Endpoint Manager link Previously pointed to ConfigMgr, corrected to https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager --- windows/deployment/update/update-compliance-monitor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 2bcc21e872..e1e7e102cc 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -20,7 +20,7 @@ ms.topic: article > [!IMPORTANT] > While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: > -> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates. +> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. > * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. From da766c37ef8c251862a05106e289fea60f506059 Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 10:03:42 -0700 Subject: [PATCH 09/14] Remove dup signing page, add operational guide Updating TOC to remove "Signing WDAC policies with SignTool.exe" page, as it is a duplicate of "Use signed policies to protect Windows Defender Application Control against tampering" Additionally, adding an operational guide section to follow design and deployment guides. --- .../TOC.md | 11 ++--- ...r-application-control-operational-guide.md | 41 +++++++++++++++++++ 2 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 7275492629..364e2c3baf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,23 +21,24 @@ ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) -### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) +### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) -### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) +### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) +### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md) -### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) -### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) -#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md) +## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) + ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md new file mode 100644 index 0000000000..8e14e7cb0d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -0,0 +1,41 @@ +--- +title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10) +description: Gather information about how your deployed Windows Defender Application Control policies are behaving. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 03/16/2020 +--- + +# Windows Defender Application Control operational guide + +**Applies to** +- Windows 10 +- Windows Server 2016 + +After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature. + +## WDAC Events Overview + +WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. + +WDAC events are generated under two locations: + +1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## In this section + +| Topic | Description | +| - | - | +| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | From c140dceb33e4a500a907df0165820405a2ec6243 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Tue, 17 Mar 2020 11:02:31 -0700 Subject: [PATCH 10/14] Added a new note about Hybrid AADJ --- windows/deployment/windows-autopilot/known-issues.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 40de54fe9a..162db9fe0e 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -26,6 +26,9 @@ ms.topic: article + + - + - + +

We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.

@@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca - + @@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca - + @@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca - + - + @@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca - + @@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca - + - + @@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca +

We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.

@@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca - + @@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca
IssueMore information +
Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.
Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more). To fix this issue:
  1. Boot the device to the start of the out-of-box experience (OOBE).
  2. Establish a network connection (wired or wireless). From 5f26d35c1e4863bfab57c196c6be03170fa85ecc Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 11:33:50 -0700 Subject: [PATCH 11/14] Add Event IDs docs page WDAC event descriptions are not documented currently --- .../event-id-explanations.md | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md new file mode 100644 index 0000000000..182c28dedc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -0,0 +1,80 @@ +--- +title: Understanding Application Control events (Windows 10) +description: Learn what different Windows Defender Application Control events signify. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 3/17/2020 +--- + +# Understanding Application Control events + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: + +1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## Microsoft Windows CodeIntegrity Operational log event IDs + +| Event ID | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3076 | Audit executable/dll file | +| 3077 | Block executable/dll file | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
    Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | +| 3099 | Indicates that a policy has been loaded | + +## Microsoft Windows Applocker MSI and Script log event IDs + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | +| 8029 | Block script/MSI file | +| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | | + +## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events + +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3090 | Allow executable/dll file | +| 3091 | Audit executable/dll file | +| 3092 | Block executable/dll file | + +3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. + +### SmartLocker template + +Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. + +| Name | Explanation | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | +| ManagedInstallerEnabled | Policy trusts a MI | +| PassesManagedInstaller | File originated from a trusted MI | +| SmartlockerEnabled | Policy trusts the ISG | +| PassesSmartlocker | File had positive reputation | +| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode | + +### Enabling ISG and MI diagnostic events + +In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: + + ```powershell + reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 + ``` +In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: + + ```powershell + reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 + ``` From 68020943aab4d60774e643b3836f71f89a938501 Mon Sep 17 00:00:00 2001 From: Bella Brahm Date: Tue, 17 Mar 2020 11:39:41 -0700 Subject: [PATCH 12/14] Minor changes to TOC for event explanations page --- .../windows-defender-application-control/TOC.md | 2 +- .../windows-defender-application-control-operational-guide.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 364e2c3baf..5ade5917e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -37,9 +37,9 @@ ## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) +### [Understanding Application Control events](event-id-explanations.md) ### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) - ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) #### [Maintain AppLocker policies](applocker\maintain-applocker-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 8e14e7cb0d..a34e52ab58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -38,4 +38,5 @@ WDAC events are generated under two locations: | Topic | Description | | - | - | +| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. | | [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | From 004f72b34fe3d03b765383432a876c5b47b5ede1 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Tue, 17 Mar 2020 11:40:29 -0700 Subject: [PATCH 13/14] Adds contact support link to troubleshooting pages --- .../surface-hub/device-reset-surface-hub.md | 8 ++++- .../surface-hub/miracast-troubleshooting.md | 13 +++++---- .../surface-hub-2s-recover-reset.md | 4 +++ .../surface-hub/troubleshoot-surface-hub.md | 29 ++++++++++--------- 4 files changed, 35 insertions(+), 19 deletions(-) diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index 6d7d33415f..dc0045817a 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a 1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again. -1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen. +1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen. 1. Select **Advanced Options**. @@ -115,6 +115,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a ![downloading 97&](images/recover-progress.png) When the download finishes, the recovery process restores the Surface Hub according to the options that you selected. + + +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). + ## Related topics diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index 9517857676..40ccbb5804 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set - The first step is an initial connection using 2.4GHz. - After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings. -There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub’s location. Running a network scanning tool will show you the available networks and channel usage in the environment. +There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment. ## Connect issues Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub. -If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub’s Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. +If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan. @@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on Next, ensure Miracast is supported on the device. 1. Press Windows Key + R and type `dxdiag`. -2. Click “Save all information”. +2. Click "Save all information". 3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**. ### Check firewall @@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast. ### Check event logs -The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub’s Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. +The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. ## Performance issues @@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection. -Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub’s Miracast channel to the same channel as the most commonly used access point. +Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point. If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date. +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 1f0e98f92b..6c9fb942af 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -69,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri > [!NOTE] > To enter recovery mode, unplug the power cord and plug it in again three times. + +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index af6809a477..2b0397fb04 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x80072EFD

WININET_E_CANNOT_CONNECT

Can’t connect to the server right now. Wait a while and try again, or check the account settings.

Can't connect to the server right now. Wait a while and try again, or check the account settings.

Verify that the server name is correct and reachable. Verify that the device is connected to the network.

0x86000C29

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don’t match)

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match)

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

0x86000C4C

0x86000C0A

E_NEXUS_STATUS_SERVERERROR_RETRYLATER

Can’t connect to the server right now.

Can't connect to the server right now.

Wait until the server comes back online. If the issue persists, re-provision the account.

0x8505000D

E_AIRSYNC_RESET_RETRY

Can’t connect to the server right now. Wait a while or check the account’s settings.

Can't connect to the server right now. Wait a while or check the account's settings.

This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.

0x85010004

E_HTTP_FORBIDDEN

Can’t connect to the server right now. Wait a while and try again, or check the account’s settings.

Can't connect to the server right now. Wait a while and try again, or check the account's settings.

Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.

0x85030028

E_ACTIVESYNC_PASSWORD_OR_GETCERT

The account’s password or client certificate are missing or invalid.

The account's password or client certificate are missing or invalid.

Update the password and/or deploy the client certificate.

0x80072EE2

WININET_E_TIMEOUT

The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline.

The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline.

Verify that the server is running. Verify the NAT settings.

0x85010017

E_HTTP_SERVICE_UNAVAIL

Can’t connect to the server right now. Wait a while or check the account’s settings.

Can't connect to the server right now. Wait a while or check the account's settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

0x86000C0D

E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE

Can’t connect to the server right now. Wait a while or check the account’s settings.

Can't connect to the server right now. Wait a while or check the account's settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

E_NEXUS_STATUS_INVALID_POLICYKEY

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

0x85010005

0x85010014

E_HTTP_SERVER_ERROR

Can’t connect to the server.

Can't connect to the server.

Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.
-  +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +   ## Related content From 982edee905d36eb4efacc0236a9db43f0723b6ac Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Tue, 17 Mar 2020 13:39:53 -0700 Subject: [PATCH 14/14] Removal of locale in link URLs --- devices/surface-hub/device-reset-surface-hub.md | 2 +- devices/surface-hub/miracast-troubleshooting.md | 2 +- devices/surface-hub/surface-hub-2s-recover-reset.md | 2 +- devices/surface-hub/troubleshoot-surface-hub.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index dc0045817a..d8d0269900 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -119,7 +119,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). ## Related topics diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index 40ccbb5804..eb33f483d6 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -81,4 +81,4 @@ If there are multiple Wi-Fi networks or access points in the environment, some c ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 6c9fb942af..7493e10c3c 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -72,4 +72,4 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index 2b0397fb04..cf02da1a6e 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -604,7 +604,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca ## Contact Support -If you have questions or need help, you can [create a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection). +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).