deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-07-03 03:03:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2307 from MicrosoftDocs/master

Browse Source 
Publish 3/17/2020 3:30 PM PST
This commit is contained in:
Thomas Raya
2020-03-17 18:35:03 -05:00
committed by GitHub
parent 71d10238b8 2355cce653
commit a0bc0b8eb7
16 changed files with 249 additions and 351 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-whats-new.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
"redirect_document_id": true

8
devices/surface-hub/device-reset-surface-hub.md
View File

@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again.
1. Repeat step 3 three times, or until the Surface Hub displays the Preparing Automatic Repair message. After it displays this message, the Surface Hub displays the Windows RE screen.
1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen.
1. Select **Advanced Options**.
@ -116,6 +116,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
When the download finishes, the recovery process restores the Surface Hub according to the options that you selected.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
## Related topics
[Manage Microsoft Surface Hub](manage-surface-hub.md)

13
devices/surface-hub/miracast-troubleshooting.md
View File

@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set
- The first step is an initial connection using 2.4GHz.
- After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings.
There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hubs location. Running a network scanning tool will show you the available networks and channel usage in the environment.
There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment.
## Connect issues
Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub.
If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hubs Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub.
If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub.
When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan.
@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on
Next, ensure Miracast is supported on the device.
1. Press Windows Key + R and type `dxdiag`.
2. Click Save all information.
2. Click "Save all information".
3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**.
### Check firewall
@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast.
### Check event logs
The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hubs Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
## Performance issues
@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult
If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection.
Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hubs Miracast channel to the same channel as the most commonly used access point.
Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point.
If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

4
devices/surface-hub/surface-hub-2s-recover-reset.md
View File

@ -69,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri
> [!NOTE]
> To enter recovery mode, unplug the power cord and plug it in again three times.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

29
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="even">
<td align="left"><p>0x80072EFD</p></td>
<td align="left"><p>WININET_E_CANNOT_CONNECT</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
<td align="left"><p>Verify that the server name is correct and reachable. Verify that the device is connected to the network.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>0x86000C29</p></td>
<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies dont match)</p></td>
<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match)</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
<td align="left"><p>Disable the <strong>PasswordEnabled</strong> policy for this account.</p>
<p>We have a bug were we may surface policy errors if the account doesnt receive any server notifications within the policy refresh interval.</p></td>
<p>We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x86000C4C</p></td>
@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x86000C0A</p></td>
<td align="left"><p>E_NEXUS_STATUS_SERVERERROR_RETRYLATER</p></td>
<td align="left"><p>Cant connect to the server right now.</p></td>
<td align="left"><p>Can't connect to the server right now.</p></td>
<td align="left"><p>Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x8505000D</p></td>
<td align="left"><p>E_AIRSYNC_RESET_RETRY</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
<td align="left"><p>This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.</p></td>
</tr>
<tr class="even">
@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x85010004</p></td>
<td align="left"><p>E_HTTP_FORBIDDEN</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while and try again, or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while and try again, or check the account's settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x85030028</p></td>
<td align="left"><p>E_ACTIVESYNC_PASSWORD_OR_GETCERT</p></td>
<td align="left"><p>The accounts password or client certificate are missing or invalid.</p></td>
<td align="left"><p>The account's password or client certificate are missing or invalid.</p></td>
<td align="left"><p>Update the password and/or deploy the client certificate.</p></td>
</tr>
<tr class="odd">
@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x80072EE2</p></td>
<td align="left"><p>WININET_E_TIMEOUT</p></td>
<td align="left"><p>The network doesnt support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
<td align="left"><p>The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
<td align="left"><p>Verify that the server is running. Verify the NAT settings.</p></td>
</tr>
<tr class="even">
@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="odd">
<td align="left"><p>0x85010017</p></td>
<td align="left"><p>E_HTTP_SERVICE_UNAVAIL</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x86000C0D</p></td>
<td align="left"><p>E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="odd">
@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<td align="left"><p>E_NEXUS_STATUS_INVALID_POLICYKEY</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
<td align="left"><p>Disable the PasswordEnabled policy for this account.</p>
<p>We have a bug were we may surface policy errors if the account doesnt receive any server notifications within the policy refresh interval.</p></td>
<p>We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>0x85010005</p></td>
@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
<tr class="even">
<td align="left"><p>0x85010014</p></td>
<td align="left"><p>E_HTTP_SERVER_ERROR</p></td>
<td align="left"><p>Cant connect to the server.</p></td>
<td align="left"><p>Can't connect to the server.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.</p></td>
</tr>
<tr class="odd">
@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca
</tbody>
</table>
 
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
 
## Related content

170
mdop/appv-v5/about-app-v-51-reporting.md
View File

@ -16,36 +16,32 @@ ms.date: 08/30/2016
# About App-V 5.1 Reporting
Microsoft Application Virtualization (App-V) 5.1 includes a built-in reporting feature that helps you collect information about computers running the App-V 5.1 client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database.
## <a href="" id="---------app-v-5-1-reporting-overview"></a> App-V 5.1 Reporting Overview
The following list displays the endto-end high-level workflow for reporting in App-V 5.1.
1. The App-V 5.1 Reporting server has the following prerequisites:
1. The App-V 5.1 Reporting server has the following prerequisites:
- Internet Information Service (IIS) web server role
- Internet Information Service (IIS) web server role
- Windows Authentication role (under **IIS / Security**)
- Windows Authentication role (under **IIS / Security**)
- SQL Server installed and running with SQL Server Reporting Services (SSRS)
- SQL Server installed and running with SQL Server Reporting Services (SSRS)
To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V 5.1 Reporting. The SQL Server Reporting Services Home page should display.
2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at <https://go.microsoft.com/fwlink/?LinkId=397255>.
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined SSRS Reports from the [Download Center](https://go.microsoft.com/fwlink/?LinkId=397255).
**Note**  
If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
> [!NOTE]
> If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
``` syntax
```powershell
Set-AppvClientConfiguration reportingserverurl <url>:<port> -reportingenabled 1 ReportingStartTime <0-23> - ReportingRandomDelay <#min>
```
@ -53,18 +49,14 @@ The following list displays the endto-end high-level workflow for reporting i
For more information about installing the App-V 5.1 client with reporting enabled see [About Client Configuration Settings](about-client-configuration-settings51.md). To administer App-V 5.1 Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md).
5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
**Note**  
By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
> [!NOTE]
> By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
~~~
If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
~~~
### <a href="" id="-------------app-v-5-1-reporting-server-frequently-asked-questions"></a> App-V 5.1 reporting server frequently asked questions
@ -121,52 +113,50 @@ The following table displays answers to common questions about App-V 5.1 reporti
<strong>Note</strong><br/><p>Group Policy settings override local settings configured using PowerShell.</p>
</div>
<div>
</div></li>
</ol></td>
</tr>
</tbody>
</table>
## <a href="" id="---------app-v-5-1-client-reporting"></a> App-V 5.1 Client Reporting
To use App-V 5.1 reporting you must install and configure the App-V 5.1 client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md). The following section provides examples of App-V 5.1 client reporting configuration using PowerShell.
### Configuring App-V Client reporting using PowerShell
The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client.
**Note**
The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
> [!NOTE]
> The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
**To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**:
`Set-AppVClientConfiguration ReportingEnabled 1`
```powershell
Set-AppVClientConfiguration ReportingEnabled 1
```
**To configure the client to automatically send data to a specific reporting server**:
``` syntax
Set-AppVClientConfiguration ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30
```powershell
Set-AppVClientConfiguration ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -ReportingInterval 1 -ReportingRandomDelay 30
```
`-ReportingInterval 1 -ReportingRandomDelay 30`
This example configures the client to automatically send the reporting data to the reporting server URL <strong>http://MyReportingServer:MyPort/</strong>. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
**To limit the size of the data cache on the client**:
`Set-AppvClientConfiguration ReportingDataCacheLimit 100`
```powershell
Set-AppvClientConfiguration ReportingDataCacheLimit 100
```
Configures the maximum size of the reporting cache on the computer running the App-V 5.1 client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary.
**To configure the data block size transmitted across the network between the client and the server**:
`Set-AppvClientConfiguration ReportingDataBlockSize 10240`
```powershell
Set-AppvClientConfiguration ReportingDataBlockSize 10240
```
Specifies the maximum data block that the client sends to 10240 MB.
@ -174,59 +164,15 @@ Specifies the maximum data block that the client sends to 10240 MB.
The following table displays the types of information you can collect by using App-V 5.1 reporting.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Client Information</th>
<th align="left">Package Information</th>
<th align="left">Application Usage</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Host Name</p></td>
<td align="left"><p>Package Name</p></td>
<td align="left"><p>Start and End Times</p></td>
</tr>
<tr class="even">
<td align="left"><p>App-V 5.1 Client Version</p></td>
<td align="left"><p>Package Version</p></td>
<td align="left"><p>Run Status</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Processor Architecture</p></td>
<td align="left"><p>Package Source</p></td>
<td align="left"><p>Shutdown State</p></td>
</tr>
<tr class="even">
<td align="left"><p>Operating System Version</p></td>
<td align="left"><p>Percent Cached</p></td>
<td align="left"><p>Application Name</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Service Pack Level</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Application Version</p></td>
</tr>
<tr class="even">
<td align="left"><p>Operating System Type</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Username</p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Connection Group</p></td>
</tr>
</tbody>
</table>
|Client Information |Package Information |Application Usage |
|---------|---------|---------|
|Host Name |Package Name|Start and End Times|
|App-V 5.1 Client Version |Package Version|Run Status|
|Processor Architecture |Package Source|Shutdown State|
|Operating System Version|Percent Cached|Application Name|
|Service Pack Level| |Application Version|
|Operating System Type| |Username|
| | |Connection Group|
The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
@ -234,19 +180,17 @@ The client collects and saves this data in an **.xml** format. The data cache is
You can configure the computer that is running the App-V 5.1 client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings:
- ReportingEnabled
- ReportingServerURL
- ReportingStartTime
- ReportingInterval
- ReportingRandomDelay
- ReportingEnabled
- ReportingServerURL
- ReportingStartTime
- ReportingInterval
- ReportingRandomDelay
After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet:
`Send-AppVClientReport URL http://MyReportingServer:MyPort/ -DeleteOnSuccess`
```powershell
Send-AppVClientReport URL http://MyReportingServer:MyPort/ -DeleteOnSuccess
```
If the reporting server has been previously configured, then the **URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection.
@ -277,23 +221,20 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
<strong>Note</strong><br/><p>If a location other than the Reporting Server is specified, the data is sent using <strong>.xml</strong> format with no additional processing.</p>
</div>
<div>
</div></td>
</tr>
</tbody>
</table>
### Creating Reports
To retrieve report information and create reports using App-V 5.1 you must use one of the following methods:
- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://go.microsoft.com/fwlink/?LinkId=285596).
- **Scripting** You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
- **Scripting** You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
**Stored Procedure:**
@ -303,25 +244,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o
The stored procedure is also created when using the App-V 5.1 database scripts.
You should also ensure that the reporting server web services **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
You should also ensure that the reporting server web service's **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
## Related topics
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
[How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md)

87
mdop/appv-v5/app-v-51-planning-checklist.md
View File

@ -16,86 +16,21 @@ ms.date: 06/16/2016
# App-V 5.1 Planning Checklist
This checklist can be used to help you plan for preparing your computing environment for Microsoft Application Virtualization (App-V) 5.1 deployment.
**Note**  
This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left"></th>
<th align="left">Task</th>
<th align="left">References</th>
<th align="left">Notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.</p></td>
<td align="left"><p><a href="getting-started-with-app-v-51.md" data-raw-source="[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)">Getting Started with App-V 5.1</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.</p></td>
<td align="left"><p><a href="app-v-51-prerequisites.md" data-raw-source="[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)">App-V 5.1 Prerequisites</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>If you plan to use the App-V 5.1 management server, plan for the required roles.</p></td>
<td align="left"><p><a href="planning-for-the-app-v-51-server-deployment.md" data-raw-source="[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)">Planning for the App-V 5.1 Server Deployment</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.</p></td>
<td align="left"><p><a href="planning-for-the-app-v-51-sequencer-and-client-deployment.md" data-raw-source="[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)">Planning for the App-V 5.1 Sequencer and Client Deployment</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>If applicable, review the options and steps for migrating from a previous version of App-V.</p></td>
<td align="left"><p><a href="planning-for-migrating-from-a-previous-version-of-app-v51.md" data-raw-source="[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)">Planning for Migrating from a Previous Version of App-V</a></p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Plan for running App-V 5.1 clients using in shared content store mode.</p></td>
<td align="left"><p><a href="how-to-install-the-app-v-51-client-for-shared-content-store-mode.md" data-raw-source="[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)">How to Install the App-V 5.1 Client for Shared Content Store Mode</a></p></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
> [!NOTE]
> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
| |Task |References |
|-|-|-|
|![Checklist box](images/checklistbox.gif) |Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.|[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)|
|![Checklist box](images/checklistbox.gif) |Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.|[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)|
|![Checklist box](images/checklistbox.gif) |If you plan to use the App-V 5.1 management server, plan for the required roles.|[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)|
|![Checklist box](images/checklistbox.gif) |Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.|[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)|
|![Checklist box](images/checklistbox.gif) |If applicable, review the options and steps for migrating from a previous version of App-V.|[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)|
|![Checklist box](images/checklistbox.gif) |Plan for running App-V 5.1 clients using in shared content store mode.|[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)|
|![Checklist box](images/checklistbox.gif) | | |
## Related topics
[Planning for App-V 5.1](planning-for-app-v-51.md)

45
mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
View File

@ -16,63 +16,46 @@ ms.date: 06/16/2016
# How to install the Reporting Server on a Standalone Computer and Connect it to the Database
Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
**Important**
Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md).
## To install the reporting server on a standalone computer and connect it to the database
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
**To install the reporting server on a standalone computer and connect it to the database**
2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I dont want to use Microsoft Update**. Click **Next**.
5. On the **Installation Location** page, accept the default location and click **Next**.
4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
5. On the **Installation Location** page, accept the default location and click **Next**.
> [!NOTE]
> If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
**Note**
If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
~~~
For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
~~~
Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
7. On the **Configure Reporting Server Configuration** page.
- Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
- Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
- For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
- For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
8. Click **Install**.
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
[About App-V 5.1 Reporting](about-app-v-51-reporting.md)
[Deploying App-V 5.1](deploying-app-v-51.md)
[How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md)

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -20,7 +20,7 @@ ms.topic: article
> [!IMPORTANT]
> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
>
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.

2
windows/deployment/update/update-compliance-wd-av-status.md
View File

@ -18,7 +18,7 @@ ms.topic: article
> [!IMPORTANT]
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)

3
windows/deployment/windows-autopilot/known-issues.md
View File

@ -26,6 +26,9 @@ ms.topic: article
<table>
<th>Issue<th>More information
<tr><td>Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.</td>
<td>This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.</tr>
<tr><td>Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more).</td>
<td>To fix this issue: <ol><li>Boot the device to the start of the out-of-box experience (OOBE).
<li>Establish a network connection (wired or wireless).

11
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -21,23 +21,24 @@
### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
#### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md)
## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
### [Understanding Application Control events](event-id-explanations.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)

80
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Understanding Application Control events (Windows 10)
description: Learn what different Windows Defender Application Control events signify.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 3/17/2020
---
# Understanding Application Control events
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
1. Event IDs beginning with 30 appear in Applications and Services logs Microsoft Windows CodeIntegrity Operational
2. Event IDs beginning with 80 appear in Applications and Services logs Microsoft Windows AppLocker MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.<br>Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file |
| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
### SmartLocker template
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
| SmartlockerEnabled | Policy trusts the ISG |
| PassesSmartlocker | File had positive reputation |
| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
### Enabling ISG and MI diagnostic events
In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```

91
windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
View File

@ -1,91 +0,0 @@
---
title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10)
description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/21/2018
---
# Signing Windows Defender Application Control policies with SignTool.exe
**Applies to:**
- Windows 10
- Windows Server 2016
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
These policies are designed to prevent administrative tampering and kernel mode exploit access.
With this in mind, it is much more difficult to remove signed WDAC policies.
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a WDAC policy with SignTool.exe, you need the following components:
- SignTool.exe, found in the Windows SDK (Windows 7 or later)
- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created
- An internal CA code signing certificate or a purchased code signing certificate
If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> [!NOTE]
> This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
`cd $env:USERPROFILE\Desktop`
5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
`Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> [!NOTE]
> \<Path to exported .cer certificate> should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future.
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
`Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
`ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
8. Sign the WDAC policy by using SignTool.exe:
`<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).

6
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -28,10 +28,8 @@ ms.date: 05/03/2018
- Windows Server 2016
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
These policies are designed to prevent administrative tampering and kernel mode exploit access.
With this in mind, it is much more difficult to remove signed WDAC policies.
Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.

42
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10)
description: Gather information about how your deployed Windows Defender Application Control policies are behaving.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/16/2020
---
# Windows Defender Application Control operational guide
**Applies to**
- Windows 10
- Windows Server 2016
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
## WDAC Events Overview
WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
WDAC events are generated under two locations:
1. Applications and Services logs Microsoft Windows CodeIntegrity Operational
2. Applications and Services logs Microsoft Windows AppLocker MSI and Script
## In this section
| Topic | Description |
| - | - |
| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |