**Customize Internet Explorer 11**
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after deployment.
Download IEAK 11
IEAK 11 user's guide
Frequently asked questions about IEAK 11
Customization and distribution guidelines
**Install Internet Explorer 11**
Explore the different options for installation.
Through Automatic Updates (recommended)
As part of an operating system deployment
Over the network
With System Center 2012 R2 Configuration Manager
With Windows Server Update Services (WSUS)
With Microsoft Intune
With third-party tools
**Customize Internet Explorer 11** The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after deployment. Download IEAK 11 IEAK 11 user's guide Frequently asked questions about IEAK 11 Customization and distribution guidelines | **Install Internet Explorer 11** Explore the different options for installation. Through Automatic Updates (recommended) As part of an operating system deployment Over the network With System Center 2012 R2 Configuration Manager With Windows Server Update Services (WSUS) With Microsoft Intune With third-party tools |
-
 **Enforce settings with Group Policy** Learn how to use Group Policy to enforce settings on the computers in your organization. Group Policy for beginners New Group Policy settings for IE11 Administrative templates for IE11 |  **Standardize with Group Policy preferences** Group Policy preferences simplify deployment and standardize configurations, but unlike Group Policy, they can later be changed by users. Group Policy preferences for IE11 Configure Group Policy preferences |
 **Blocked out-of-date ActiveX controls** Find out more about the out-of-date ActiveX control blocking security feature available in Internet Explorer. Blocked out-of-date ActiveX controls Out-of-date ActiveX control blocking Update to block out-of-date ActiveX controls in Internet Explorer |  **Scripts for IT professionals** Find scripts to help you save time and automate common tasks. Batch loop: Check is a process running, if yes, wait in loop Script to join user to AD with automatic Local user Profile Migration Find-IE Citrix receiver Version See all scripts |
**Enforce settings with Group Policy** Learn how to use Group Policy to enforce settings on the computers in your organization. Group Policy for beginners New Group Policy settings for IE11 Administrative templates for IE11 | **Standardize with Group Policy preferences** Group Policy preferences simplify deployment and standardize configurations, but unlike Group Policy, they can later be changed by users. Group Policy preferences for IE11 Configure Group Policy preferences |
**Blocked out-of-date ActiveX controls** Find out more about the out-of-date ActiveX control blocking security feature available in Internet Explorer. Blocked out-of-date ActiveX controls Out-of-date ActiveX control blocking Update to block out-of-date ActiveX controls in Internet Explorer | **Scripts for IT professionals** Find scripts to help you save time and automate common tasks. Batch loop: Check is a process running, if yes, wait in loop Script to join user to AD with automatic Local user Profile Migration Find-IE Citrix receiver Version See all scripts |
Deploy
+ +Deploying, managing, and servicing Surface Pro X
- -When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | -|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| -|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| - - -## Features we’re no longer developing - -We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. - -If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -|Feature |Instead you can use...| -|-----------|---------------------| -|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| -|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| -|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| -|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| -|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| -|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| -|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| -|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| +--- +title: Windows 10, version 1803 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1803, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.date: 08/16/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Features removed or planned for replacement starting with Windows 10, version 1803 + +> Applies to: Windows 10, version 1803 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1803 (also called Windows 10 April 2018 Update). + +> [!TIP] +> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. +- Have questions about other releases? Check out the information for [Features that are removed or deprecated in Windows 10, version 1703](https://docs.microsoft.com/windows/deployment/planning/windows-10-1703-removed-features), [Features that are removed or deprecated in Windows 10, version 1709](https://docs.microsoft.com/windows/deployment/planning/windows-10-1709-removed-features), and [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/en-us/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). + + +**The list is subject to change and might not include every affected feature or functionality.** + +## Features we removed in this release + +We've removed the following features and functionalities from the installed product image in Windows 10, version 1803. Applications or code that depend on these features won't function in this release unless you use an alternate method. + +|Feature |Instead you can use...| +|-----------|-------------------- +|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| +|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| +|Language control in the Control Panel| Use the Settings app to change your language settings.| +|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | +|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| +|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| + + +## Features we’re no longer developing + +We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. + +If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +|Feature |Instead you can use...| +|-----------|---------------------| +|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| +|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| +|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| +|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| +|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| +|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| +|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| +|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index a538532b77..9a2cb63049 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -1,52 +1,54 @@ ---- -title: Windows 10, version 1809 - Features that have been removed -description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.author: greglin -ms.date: 11/16/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Features removed or planned for replacement starting with Windows 10, version 1809 - -> Applies to: Windows 10, version 1809 - -Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809. - -> [!TIP] -> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. -> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md). - -**The list is subject to change and might not include every affected feature or functionality.** - -## Features we removed in this release - -We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method. - -|Feature |Instead you can use...| -|-----------|-------------------- -|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| -|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| -|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| -|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| -|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| - -## Features we’re no longer developing - -We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. - -If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -|Feature |Instead you can use...| -|-----------|---------------------| -|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| -|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| -|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| - - +--- +title: Windows 10, version 1809 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.date: 11/16/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Features removed or planned for replacement starting with Windows 10, version 1809 + +> Applies to: Windows 10, version 1809 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809. + +> [!TIP] +> You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. +> Have questions about other releases? Check out the information for [Features removed or planned for replacement starting with Windows 10, version 1809](https://docs.microsoft.com/windows/deployment/planning/windows-10-1809-removed-features), [Features removed or planned for replacement starting with Windows Server, version 1709](https://docs.microsoft.com/windows-server/get-started/removed-features-1709), and [Features that are removed or deprecated in Windows 10, version 1703](https://docs.microsoft.com/windows/deployment/planning/windows-10-1703-removed-features). + + +**The list is subject to change and might not include every affected feature or functionality.** + +## Features we removed in this release + +We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method. + +|Feature |Instead you can use...| +|-----------|-------------------- +|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| +|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| +|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| +|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| +|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| +|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| + +## Features we’re no longer developing + +We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. + +If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +|Feature |Instead you can use...| +|-----------|---------------------| +|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| +|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| +|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| + + diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png index 9e37eda7a6..9308673481 100644 Binary files a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png and b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-UR-settings.png b/windows/deployment/update/images/azure-portal-UR-settings.png index d8a5a3594d..67ace993e8 100644 Binary files a/windows/deployment/update/images/azure-portal-UR-settings.png and b/windows/deployment/update/images/azure-portal-UR-settings.png differ diff --git a/windows/deployment/update/images/azure-portal-create-resource-boxes.png b/windows/deployment/update/images/azure-portal-create-resource-boxes.png index a90344e02d..b15bec2265 100644 Binary files a/windows/deployment/update/images/azure-portal-create-resource-boxes.png and b/windows/deployment/update/images/azure-portal-create-resource-boxes.png differ diff --git a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png index 70815abf46..33175c7590 100644 Binary files a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png and b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png differ diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 210ebcaf84..9c45228695 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -36,7 +36,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | -| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | +| [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 74c05a0abe..b7e23d8a0a 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -19,15 +19,14 @@ ms.topic: article **Applies to** - Windows 10 -- Windows 10 IoT Mobile Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. ## Definitions Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. -- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). +- **Feature updates** are released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. +- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - The **Semi-Annual Channel** receives feature updates twice per year. @@ -40,9 +39,9 @@ For some interesting in-depth information about how cumulative updates work, see ## Key Concepts -Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. +Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. -Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. +All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle. Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. @@ -50,7 +49,7 @@ See [Assign devices to servicing channels for Windows 10 updates](waas-servicing ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help. Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 8e7a8558db..d6749b666d 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -8,8 +8,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.localizationpriority: high ms.collection: M365-analytics ms.topic: article @@ -43,6 +45,7 @@ See these topics for additional background information about related privacy iss - [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) - [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) +- [Windows 10, version 1903 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903) - [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) - [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) - [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 0d0a77909e..f308f019a8 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -1,5 +1,5 @@ --- -title: Volume Activation for Windows 10 (Windows 10) +title: Volume Activation for Windows 10 description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 ms.reviewer: @@ -10,7 +10,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.date: 07/27/2017 ms.topic: article @@ -18,52 +19,54 @@ ms.topic: article # Volume Activation for Windows 10 -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 +> Applies to +> +>- Windows 10 +>- Windows Server 2012 R2 +>- Windows Server 2012 +>- Windows Server 2016 +>- Windows Server 2019 **Looking for volume licensing information?** -- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) + +- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) **Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +- [Get Help Activating Microsoft Windows](https://support.microsoft.com/help/12440/windows-10-activate) This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. -*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions. + +*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/). Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation. -This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation. +This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation. -Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide -discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. +Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. -Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library. +Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)). If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210). To successfully plan and implement a volume activation strategy, you must: -- Learn about and understand product activation. -- Review and evaluate the available activation types or models. -- Consider the connectivity of the clients to be activated. -- Choose the method or methods to be used with each type of client. -- Determine the types and number of product keys you will need. -- Determine the monitoring and reporting needs in your organization. -- Install and configure the tools required to support the methods selected. + +- Learn about and understand product activation. +- Review and evaluate the available activation types or models. +- Consider the connectivity of the clients to be activated. +- Choose the method or methods to be used with each type of client. +- Determine the types and number of product keys you will need. +- Determine the monitoring and reporting needs in your organization. +- Install and configure the tools required to support the methods selected. Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. -**In this guide:** -- [Plan for volume activation](plan-for-volume-activation-client.md) -- [Activate using Key Management Service](activate-using-key-management-service-vamt.md) -- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md) -- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md) -- [Monitor activation](monitor-activation-client.md) -- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md) -- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md) - +## Additional information + +- [Plan for volume activation](plan-for-volume-activation-client.md) +- [Activate using Key Management Service](activate-using-key-management-service-vamt.md) +- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md) +- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md) +- [Monitor activation](monitor-activation-client.md) +- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md) +- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index b5cc63019b..7aacf56861 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -audience: itpro +audience: itproF author: greg-lindsay manager: laurawi ms.audience: itpro @@ -30,7 +30,7 @@ With **Windows Autopilot for white glove deployment**, the provisioning process  -Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven [Azure AD join](user-driven-aad.md) and [Hybrid Azure AD](user-driven-hybrid.md) join scenarios. +Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active directory join scenarios. ## Prerequisites diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 1baaf03dea..80be0dc299 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -78,6 +78,10 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
Intel- https://ekop.intel.com/ekcertservice +
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1 +
AMD- https://ftpm.amd.com/pki/aia
-[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) +--- +title: Overview of Windows Autopilot +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Overview of Windows Autopilot + +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram: + +  + +When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. + +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. + +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription for configuration*](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Windows-10-Azure-AD-and-Microsoft-Intune-Automatic-MDM/ba-p/244067)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. + +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + + + + + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements. + +## Related topics + +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
+[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml index e858c87806..1504e2cae3 100644 --- a/windows/hub/windows-10.yml +++ b/windows/hub/windows-10.yml @@ -33,7 +33,7 @@ sections: - type: markdown text: " Learn about the latest releases and servicing options.
-
 | What's new in Windows 10, version 1809 What's new in Windows 10, version 1803 What's new in Windows 10, version 1709 Windows 10 release information Windows 10 update history Windows 10 roadmap |
| What's new in Windows 10, version 1809 What's new in Windows 10, version 1803 What's new in Windows 10, version 1709 Windows 10 release information Windows 10 update history Windows 10 roadmap |
-
| Windows 10 FAQ for IT Pros Windows 10 forums Windows 10 TechCommunity Which edition is right for your organization? Infrastructure requirements What's Windows as a service? Windows 10 Mobile deployment and management guide |  |
**In-place upgrade** The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT | **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT | ||
 **Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar |  Windows deployment for education environmentsSet up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
**In-place upgrade** The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT | **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT |
**Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar | Windows deployment for education environments Set up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
-
**Manage Windows 10 updates** Get best practices and tools to help you manage clients and apps. Manage clients in Windows 10 Manage apps and features in Windows 10 | **Security** Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats. Windows 10 enterprise security Threat protection Identity protection Information protection |
**Manage Windows 10 updates** Get best practices and tools to help you manage clients and apps. Manage clients in Windows 10 Manage apps and features in Windows 10 | **Security** Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats. Windows 10 enterprise security Threat protection Identity protection Information protection |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | October 08, 2019 10:00 AM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | OS Build 10240.18305 August 13, 2019 KB4512497 | Resolved KB4517276 | August 17, 2019 02:00 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later. See details > | OS Build 10240.18244 June 11, 2019 KB4503291 | Resolved External | August 09, 2019 07:03 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close. See details > | OS Build 10240.18244 June 11, 2019 KB4503291 | Resolved KB4507458 | July 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524153. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520011. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | September 17, 2019 04:47 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | September 10, 2019 10:00 AM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 14393.3115 July 16, 2019 KB4507459 | Resolved KB4512517 | August 13, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524152. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519998. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516044. Back to top | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | Resolved: September 10, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516044. Back to top | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | Resolved: September 10, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\" Affected platforms:
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10. Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS). Back to top | OS Build 14393.3144 August 13, 2019 KB4512517 | Resolved KB4512495 | Resolved: August 17, 2019 02:00 PM PT Opened: August 14, 2019 03:34 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.” Affected platforms:
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue. Back to top | OS Build 14393.3025 June 11, 2019 KB4503267 | Resolved External | Last updated: August 09, 2019 07:03 PM PT Opened: August 09, 2019 04:25 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | September 17, 2019 04:47 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 15063.1955 July 16, 2019 KB4507467 | Resolved KB4512507 | August 13, 2019 10:00 AM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | OS Build 15063.1988 August 13, 2019 KB4512507 | Resolved KB4512474 | August 17, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524151. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520010. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 16299.1296 July 16, 2019 KB4507465 | Resolved KB4512516 | August 13, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | OS Build 16299.1217 June 11, 2019 KB4503284 | Resolved KB4512494 | August 16, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524150. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520004. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17134.915 July 16, 2019 KB4507466 | Resolved KB4512501 | August 13, 2019 10:00 AM PT |
| Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\" See details > | N/A | Resolved | September 03, 2019 12:32 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524149. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520008. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516058, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification. Affected platforms:
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes. Back to top | N/A | Resolved | Resolved: September 03, 2019 12:32 PM PT Opened: September 03, 2019 12:32 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | October 08, 2019 10:00 AM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | September 24, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17763.652 July 22, 2019 KB4505658 | Resolved KB4511553 | August 13, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524148. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519338. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4512578, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516077. Back to top | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | Resolved: September 24, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516077. Back to top | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | Resolved: September 24, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\" Affected platforms:
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10. Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS). Back to top | OS Build 17763.678 August 13, 2019 KB4511553 | Resolved KB4512534 | Resolved: August 17, 2019 02:00 PM PT Opened: August 14, 2019 03:34 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.” Affected platforms:
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue. Back to top | OS Build 17763.557 June 11, 2019 KB4503327 | Resolved External | Last updated: August 09, 2019 07:03 PM PT Opened: August 09, 2019 04:25 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | October 08, 2019 10:00 AM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | September 26, 2019 02:00 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:08 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:58 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524147. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4517389. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels. Affected platforms:
Resolution: This issue was resolved in KB4517211. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | Resolved: September 26, 2019 02:00 PM PT Opened: September 13, 2019 05:25 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. Affected platforms:
Resolution: At this time, Microsoft has not found a Search or Start issue significantly impacting users originating from KB4515384. We will continue monitoring to ensure users have a high-quality experience when interacting with these areas. If you are currently having issues, we recommend you to take a moment to report it in via the Feedback Hub (Windows + F) then try the Windows 10 Troubleshoot settings (found in Settings). If you are having an issue with search, see Fix problems in Windows Search. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:58 PM PT Opened: September 11, 2019 05:18 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4524157 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4519976 | October 08, 2019 10:00 AM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll. See details > | August 13, 2019 KB4512506 | Resolved KB4516048 | September 24, 2019 10:00 AM PT |
| Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed See details > | August 13, 2019 KB4512506 | Resolved External | August 27, 2019 02:29 PM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503292 | Resolved KB4512514 | August 17, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524157. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4524157 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4519976 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll. Affected platforms:
Resolution: This issue was resolved in KB4516048. Back to top | August 13, 2019 KB4512506 | Resolved KB4516048 | Resolved: September 24, 2019 10:00 AM PT Opened: September 10, 2019 09:48 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4524156 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4520005 | October 08, 2019 10:00 AM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error. See details > | September 10, 2019 KB4516067 | Resolved KB4516041 | September 24, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503276 | Resolved KB4512478 | August 17, 2019 02:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | August 13, 2019 KB4512488 | Resolved KB4517298 | August 16, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524156. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4524156 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4520005 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\" Affected platforms:
Resolution: This issue was resolved in KB4516041. Back to top | September 10, 2019 KB4516067 | Resolved KB4516041 | Resolved: September 24, 2019 10:00 AM PT Opened: September 13, 2019 05:25 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4524135 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4520002 | October 08, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503273 | Resolved KB4512499 | August 17, 2019 02:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | August 13, 2019 KB4512476 | Resolved KB4517301 | August 16, 2019 02:00 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later. See details > | June 11, 2019 KB4503273 | Resolved External | August 09, 2019 07:03 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524135. Back to top | September 24, 2019 KB4516030 | Resolved KB4524135 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516030 | Resolved KB4520002 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4524154 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4520007 | October 08, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503285 | Resolved KB4512512 | August 17, 2019 02:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | August 13, 2019 KB4512518 | Resolved KB4517302 | August 16, 2019 02:00 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later. See details > | June 11, 2019 KB4503285 | Resolved External | August 09, 2019 07:03 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524154. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4524154 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4520007 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | October 08, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 10240.18094 January 08, 2019 KB4480962 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524153. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520011. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | September 17, 2019 04:47 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | September 10, 2019 10:00 AM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 14393.3115 July 16, 2019 KB4507459 | Resolved KB4512517 | August 13, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Mitigated | April 25, 2019 02:00 PM PT |
| Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM. See details > | OS Build 14393.2608 November 13, 2018 KB4467691 | Mitigated | February 19, 2019 10:00 AM PT |
| Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters. See details > | OS Build 14393.2639 November 27, 2018 KB4467684 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524152. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519998. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516044. Back to top | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | Resolved: September 10, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512517 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 14393.3115 July 16, 2019 KB4507459 | Resolved KB4512517 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516044. Back to top | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | Resolved: September 10, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | September 17, 2019 04:47 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 15063.1955 July 16, 2019 KB4507467 | Resolved KB4512507 | August 13, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 15063.1563 January 08, 2019 KB4480973 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524151. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520010. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512507 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 15063.1955 July 16, 2019 KB4507467 | Resolved KB4512507 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 16299.1296 July 16, 2019 KB4507465 | Resolved KB4512516 | August 13, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 16299.904 January 08, 2019 KB4480978 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524150. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520004. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512516 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 16299.1296 July 16, 2019 KB4507465 | Resolved KB4512516 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | September 19, 2019 04:08 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not respond to \"wake up\" from sleep. See details > | OS Build 17134.950 August 13, 2019 KB4512501 | Mitigated | September 11, 2019 05:32 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17134.915 July 16, 2019 KB4507466 | Resolved KB4512501 | August 13, 2019 10:00 AM PT |
| Startup to a black screen after installing updates Your device may startup to a black screen during the first logon after installing updates. See details > | OS Build 17134.829 June 11, 2019 KB4503286 | Mitigated | June 14, 2019 04:41 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 17134.523 January 08, 2019 KB4480966 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524149. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520008. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516058, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code After installing KB4512501, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action. Affected platforms:
Workaround: To mitigate the issue, use the following steps:
Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17134.950 August 13, 2019 KB4512501 | Mitigated | Last updated: September 11, 2019 05:32 PM PT Opened: September 11, 2019 05:32 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512501 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 17134.915 July 16, 2019 KB4507466 | Resolved KB4512501 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | October 08, 2019 10:00 AM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | September 24, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | September 19, 2019 04:08 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not respond to \"wake up\" from sleep. See details > | OS Build 17763.678 August 13, 2019 KB4511553 | Mitigated | September 11, 2019 05:32 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17763.652 July 22, 2019 KB4505658 | Resolved KB4511553 | August 13, 2019 10:00 AM PT |
| Startup to a black screen after installing updates Your device may startup to a black screen during the first logon after installing updates. See details > | OS Build 17763.557 June 11, 2019 KB4503327 | Mitigated | June 14, 2019 04:41 PM PT |
| Devices with some Asian language packs installed may receive an error After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F See details > | OS Build 17763.437 April 09, 2019 KB4493509 | Mitigated | May 03, 2019 10:59 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 17763.253 January 08, 2019 KB4480116 | Mitigated | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524148. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519338. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4512578, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code After installing KB4511553, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action. Affected platforms:
Workaround: To mitigate the issue, use the following steps:
Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17763.678 August 13, 2019 KB4511553 | Mitigated | Last updated: September 11, 2019 05:32 PM PT Opened: September 11, 2019 05:32 PM PT |
| Details | Originating update | Status | History |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516077. Back to top | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | Resolved: September 24, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4511553 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 17763.652 July 22, 2019 KB4505658 | Resolved KB4511553 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” Affected platforms:
Resolution: This issue was resolved in KB4516077. Back to top | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | Resolved: September 24, 2019 10:00 AM PT Opened: August 01, 2019 05:00 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | October 08, 2019 10:00 AM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | September 26, 2019 02:00 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:08 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:58 PM PT |
| Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters Microsoft and NEC have found incompatibility issues with some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903. See details > | N/A | Mitigated | September 13, 2019 05:25 PM PT |
| Screenshots and Snips have an unnatural orange tint Users have reported an orange tint on Screenshots and Snips with the Lenovo Vantage app installed See details > | OS Build 18362.356 September 10, 2019 KB4516115 | Resolved External | September 11, 2019 08:54 PM PT |
| Windows Desktop Search may not return any results and may have high CPU usage Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage after installing KB4512941. See details > | OS Build 18362.329 August 30, 2019 KB4512941 | Resolved KB4515384 | September 10, 2019 10:00 AM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | August 30, 2019 10:00 AM PT |
| Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail. See details > | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | August 30, 2019 10:00 AM PT |
| Updates may fail to install and you may receive Error 0x80073701 Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\" See details > | OS Build 18362.145 May 29, 2019 KB4497935 | Investigating | August 16, 2019 04:28 PM PT |
| Intermittent loss of Wi-Fi connectivity Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated External | August 01, 2019 08:44 PM PT |
| Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | August 01, 2019 06:27 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524147. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4517389. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels. Affected platforms:
Resolution: This issue was resolved in KB4517211. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | Resolved: September 26, 2019 02:00 PM PT Opened: September 13, 2019 05:25 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. Affected platforms:
Resolution: At this time, Microsoft has not found a Search or Start issue significantly impacting users originating from KB4515384. We will continue monitoring to ensure users have a high-quality experience when interacting with these areas. If you are currently having issues, we recommend you to take a moment to report it in via the Feedback Hub (Windows + F) then try the Windows 10 Troubleshoot settings (found in Settings). If you are having an issue with search, see Fix problems in Windows Search. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:58 PM PT Opened: September 11, 2019 05:18 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | Resolved: August 30, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
| Issues updating when certain versions of Intel storage drivers are installed Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903). To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated. Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050. Affected platforms:
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903. Back to top | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | Resolved: August 30, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
| The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open. To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 18362.145 May 29, 2019 KB4497935 | Investigating | Last updated: July 16, 2019 09:04 AM PT Opened: July 12, 2019 04:20 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4524157 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4519976 | October 08, 2019 10:00 AM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll. See details > | August 13, 2019 KB4512506 | Resolved KB4516048 | September 24, 2019 10:00 AM PT |
| IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start. See details > | August 13, 2019 KB4512506 | Mitigated | August 17, 2019 12:59 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524157. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4524157 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4519976 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll. Affected platforms:
Resolution: This issue was resolved in KB4516048. Back to top | August 13, 2019 KB4512506 | Resolved KB4516048 | Resolved: September 24, 2019 10:00 AM PT Opened: September 10, 2019 09:48 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4524156 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4520005 | October 08, 2019 10:00 AM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error. See details > | September 10, 2019 KB4516067 | Resolved KB4516041 | September 24, 2019 10:00 AM PT |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option. See details > | April 25, 2019 KB4493443 | Mitigated | May 15, 2019 05:53 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. See details > | January 08, 2019 KB4480963 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524156. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4524156 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4520005 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\" Affected platforms:
Resolution: This issue was resolved in KB4516041. Back to top | September 10, 2019 KB4516067 | Resolved KB4516041 | Resolved: September 24, 2019 10:00 AM PT Opened: September 13, 2019 05:25 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4524135 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4520002 | October 08, 2019 10:00 AM PT |
| Issues manually installing updates by double-clicking the .msu file You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error. See details > | September 10, 2019 KB4474419 | Mitigated KB4474419 | September 24, 2019 08:17 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524135. Back to top | September 24, 2019 KB4516030 | Resolved KB4524135 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516030 | Resolved KB4520002 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Issues manually installing updates by double-clicking the .msu file After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\" Affected platforms:
Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet Resolution: This issue is resolved in KB4474419 released September 23, 2019. Currently, this version is only available from the Microsoft Update Catalog. To resolve this issue, you will need to manually download the package and use the workaround above to install it. Next steps: We estimate a solution will be available in mid-October on Windows Update and Windows Server Update Services (WSUS). Back to top | September 10, 2019 KB4474419 | Mitigated KB4474419 | Last updated: September 24, 2019 08:17 AM PT Opened: September 20, 2019 04:57 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4524154 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4520007 | October 08, 2019 10:00 AM PT |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option. See details > | April 25, 2019 KB4493462 | Mitigated | May 15, 2019 05:53 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. See details > | January 08, 2019 KB4480975 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524154. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4524154 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4520007 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Message | Date |
| Take action: Security update available for all supported versions of Windows On October 3, 2019, Microsoft expanded delivery of the out-of-band Internet Explorer scripting engine security vulnerability (CVE-2019-1367) update released on September 23, 2019 to Windows Update and Windows Server Update Services (WSUS). This is now a required security update for all supported versions of Windows as it includes the Internet Explorer scripting engine vulnerability mitigation and corrects a recent printing issue some users have experienced. All customers using Windows Update or WSUS will be offered this update automatically. We recommend that you install this update as soon as a possible, then restart your PC to fully apply the mitigations and help secure your devices. As with all cumulative updates, this update supersedes any preceding update. Note: This update does not replace the standard October 2019 monthly security update release, which is scheduled for October 8, 2019. | October 03, 2019 08:00 AM PT |
| Take Action: October 2019 security update available for all supported versions of Windows The October 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate. | October 08, 2019 08:00 AM PT |
| Take action: Security update available for all supported versions of Windows On October 3, 2019, Microsoft expanded delivery of the out-of-band Internet Explorer scripting engine security vulnerability (CVE-2019-1367) update released on September 23, 2019 to Windows Update and Windows Server Update Services (WSUS). This is now a required security update for all supported versions of Windows as it includes the Internet Explorer scripting engine vulnerability mitigation and corrects a recent printing issue some users have experienced. All customers using Windows Update or WSUS will be offered this update automatically. We recommend that you install this update as soon as a possible, then restart your PC to fully apply the mitigations and help secure your devices. As with all cumulative updates, this update supersedes any preceding update. Note: This update does not replace the standard October 2019 monthly security update release, which is scheduled for October 8, 2019. | October 03, 2019 08:00 AM PT |
| September 2019 Windows 10, version 1903 \"D\" optional release is available The September 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release. | September 26, 2019 02:00 PM PT |
| Status update: September 2019 Windows \"C\" optional release available The September 2019 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release. | September 24, 2019 08:10 AM PT |
| Plan for change: Windows Media Center Electronic Program Guide retiring in January 2020 Starting in January 2020, Microsoft is retiring its Electronic Program Guide (EPG) service for all versions of Windows Media Center. To continue receiving TV Program Guide information on your Windows Media Center, you’ll need to configure an alternate TV listing provider. | September 24, 2019 08:00 AM PT |
| August 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate. | August 13, 2019 10:00 AM PT |
| Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506) On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.) | August 13, 2019 10:00 AM PT |
| Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162) On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability | August 13, 2019 10:00 AM PT |
| Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019 Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard. | August 13, 2019 10:00 AM PT |
| Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019 Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard. | August 13, 2019 10:00 AM PT |
| Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125) On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.) | August 06, 2019 10:00 AM PT |
| Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store. | August 01, 2019 02:00 PM PT |
| Status update: Windows 10, version 1903 “D” release now available The optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release. | July 26, 2019 02:00 PM PT |
+
+3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.
+ + +#### Configure Windows devices to use PIN reset using Group Policy +You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. + +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. +2. Edit the Group Policy object from step 1. +3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. +4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. + +#### Configure Windows devices to use PIN reset using Microsoft Intune +To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): + +##### Create a PIN Reset Device configuration profile using Microsoft Intune + +1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. +2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer. + ``` + dsregcmd /status | findstr -snip "tenantid" + ``` +3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**. +4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list. +5. In the **Custom OMA-URI Settings** blade, Click **Add**. +6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2. +7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list. +8. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. + +##### Assign the PIN Reset Device configuration profile using Microsoft Intune +1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. +2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration. +3. In the device configuration profile, click **Assignments**. +4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. + +### On-premises Deployments + +**Requirements** +* Active Directory +* On-premises Windows Hello for Business deployment +* Reset from settings - Windows 10, version 1703, Professional +* Reset above Lock - Windows 10, version 1709, Professional + +On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business. + +>[!IMPORTANT] +>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs. + +#### Reset PIN from Settings +1. Sign-in to Windows 10, version 1703 or later using an alternate credential. +2. Open **Settings**, click **Accounts**, click **Sign-in options**. +3. Under **PIN**, click **I forgot my PIN** and follow the instructions. + +#### Reset PIN above the Lock Screen + 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in + 2. Enter your password and press enter. + 3. Follow the instructions provided by the provisioning process + 4. When finished, unlock your desktop using your newly created PIN. + +>[!NOTE] +> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. + +## Dual Enrollment + +**Requirements** +* Hybrid and On-premises Windows Hello for Business deployments +* Enterprise Joined or Hybrid Azure joined devices +* Windows 10, version 1709 + +> [!NOTE] +> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature. + +> [!IMPORTANT] +> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information. + +Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device. + +By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. + +With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads. + +> [!IMPORTANT] +> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. + +### Configure Windows Hello for Business Dual Enroll +In this task you will +- Configure Active Directory to support Domain Administrator enrollment +- Configure Dual Enrollment using Group Policy + +#### Configure Active Directory to support Domain Administrator enrollment +The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. + +Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. + +Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. + +1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object. +```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink``` +where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example: +```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink``` +2. To trigger security descriptor propagation, open **ldp.exe**. +3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**. +4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user. +5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**. +6. Click **Run** to start the task. +7. Close LDP. + +#### Configuring Dual Enrollment using Group Policy +You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object. + +1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. +2. Edit the Group Policy object from step 1. +3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. +4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +5. Restart computers targeted by this Group Policy object. + +The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. + +## Remote Desktop with Biometrics + +> [!Warning] +> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +**Requirements** +- Hybrid and On-premises Windows Hello for Business deployments +- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices +- Certificate trust deployments +- Biometric enrollments +- Windows 10, version 1809 + +Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. + +> [!IMPORTANT] +> The remote desktop with biometrics feature only works with certificate trust deployments. The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Microsoft continues to investigate supporting this feature for key trust deployments. + +### How does it work +It start with creating cryptographic keys. Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider. + +A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key). + +This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). + +Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. + +### Compatibility +Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. + + + +> [!IMPORTANT] +> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. + ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index d1c11a2a8c..060bf7e60a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -44,7 +44,7 @@ If you upgraded your Active Directory schema to the Windows Server 2016 schema a A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. - + ### CRL Distribution Point (CDP) @@ -122,7 +122,7 @@ You need to host your new certificate revocation list of a web server so Azure A 5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.  - In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**. Click **Apply** in the actions pane. + In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane.  7. Close **Internet Information Services (IIS) Manager**. @@ -264,7 +264,7 @@ Steps you will perform include: 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -4. Click the **Certification Path** tab. In the **Certifcation path** view, select the top most node and click **View Certificate**. +4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**.  5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.  diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 433457239a..cf2079e8e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -205,7 +205,7 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints: `/adfs/services/trust/13/certificatemixed` > [!WARNING] -> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. +> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. > [!NOTE] >If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX). diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 081ef80a5d..73d306bba1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -79,7 +79,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] -> RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this tim +> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. #### Device registration @@ -91,6 +91,9 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa #### Multifactor authentication +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. + The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 281385a751..f6259064c6 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -108,21 +108,22 @@ ### [Advanced hunting]() #### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md) -#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md) -#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) +#### [Learn the query language](microsoft-defender-atp/advanced-hunting.md) +#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md) #### [Advanced hunting schema reference]() -##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md) -##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md) -##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md) -##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md) -##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md) -##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md) -##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md) -##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md) -##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) -##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) -##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md) -#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) +##### [Understand the schema](microsoft-defender-atp/advanced-hunting-reference.md) +##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md) +##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md) +##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md) +##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md) +##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md) +##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md) +##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md) +##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) +##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) +##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md) +#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) +#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) #### [Custom detections]() diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 2c39b15201..2fa857956a 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium ms.author: dansimp author: dansimp -ms.date: 09/12/2019 +ms.date: 10/04/2019 ms.reviewer: dansimp manager: dansimp audience: ITPro @@ -20,21 +20,181 @@ audience: ITPro Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: -1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: - - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. - - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. - - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. +1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity. -2. [Detect plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#detect-plug-and-play-connected-events) - - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). +2. Configure to allow or block only certain removable devices and prevent threats. + 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. -3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: - - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. - - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. + 2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: + - Windows Defender Antivirus real-time protection (RTP) to scan removable storage for malware. + - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB. + - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in. +3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). + +4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral. >[!Note] >These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender ATP and Azure Information Protection. +## Discover plug and play connected events + +You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). + +Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration. + +## Allow or block removable devices +The following table describes the ways Microsoft Defender ATP can allow or block removable devices based on granular configuration. + +| Control | Description | +|----------|-------------| +| [Restrict USB drives and other peripherals](#restrict-usb-drives-and-other-peripherals) | You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types. | +| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | You can't install or use removable storage. | +| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. | +| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | You can't install or use prohibited peripherals that report specific properties in their firmware. | +| [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. | +| [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. | + +### Restrict USB drives and other peripherals + +To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB drives and other peripherals. + +| Control | Description +|----------|-------------| +| [Allow installation and usage of USB drives and other peripherals](#allow-installation-and-usage-of-usb-drives-and-other-peripherals) | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types | +| [Prevent installation and usage of USB drives and other peripherals](#prevent-installation-and-usage-of-usb-drives-and-other-peripherals) | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types | + +All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates: + + + +>[!Note] +>Using Intune, you can apply device configuration policies to Azure AD user and/or device groups. +The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)). + +> [!Note] +> Always test and refine these settings with a pilot group of users and devices first before applying them in production. +For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). + +#### Allow installation and usage of USB drives and other peripherals + +One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals. + +>[!Note] +>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. + +1. Enable **Prevent installation of devices not described by other policy settings** to all users. +2. Enable **Allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). + +To enforce the policy for already installed devices, apply the prevent policies that have this setting. + +When configuring the allow device installation policy, you must allow all parent attributes as well. You can view the parents of a device by opening Device Manager and view by connection. + + + +In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-444553540000}. See [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes) for more information. + + + +If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. To find the vendor or product IDs, see [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id). + +For example: + +1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**. +2. Add the vendor ID or product ID to allow in the **Allow installation of device that match any of these device IDs**. + + +#### Prevent installation and usage of USB drives and other peripherals + +If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies: + +1. Enable **Prevent installation of devices that match any of these device IDs**. +2. Enable **Prevent installation of devices that match these device setup classes**. + +> [!Note] +> The prevent device installation policies take precedence over the allow device installation policies. + +The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of vendor or product IDs for devices that Windows is prevented from installing. + +To prevent installation of devices that match any of these device IDs: + +1. [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id) for devices that you want Windows to prevent from installing. + +2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list. + + +#### Look up device vendor ID or product ID +You can use Device Manager to look up a device vendor or product ID. + +1. Open Device Manager. +2. Click **View** and select **Devices by connection**. +3. From the tree, right-click the device and select **Properties**. +4. In the dialog box for the selected device, click the **Details** tab. +5. Click the **Property** drop-down list and select **Hardware Ids**. +6. Right-click the top ID value and select **Copy**. + +For information on vendor and product ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers). + +For information on vendor IDs, see [USB members](https://www.usb.org/members). + +The following is an example for looking up a device vendor ID or product ID using PowerShell: +``` PowerShell +Get-WMIObject -Class Win32_DiskDrive | +Select-Object -Property * +``` + +### Block installation and usage of removable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + +  + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 and later + - Profile type: Device restrictions + +  + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, whereas **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. + +  + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +### Only allow installation and usage of specifically approved peripherals + +Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). +Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). + +### Prevent installation of specifically prohibited peripherals + +Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options: + +- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. +- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). + +### Limit services that use Bluetooth + +Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer GUIDs, file transfer should be blocked. + + + +### Use Microsoft Defender ATP baseline settings + +The Microsoft Defender ATP baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings. + + + ## Prevent threats from removable storage Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can help identify and block malicious files on removable storage devices. @@ -46,15 +206,15 @@ Note that if you block USB devices or any other device classes using the device >[!NOTE] >Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization. -The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB peripherals. +The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage. For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://aka.ms/devicecontrolblog). | Control | Description | |----------|-------------| -| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | -| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | -| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | +| [Enable Windows Defender Antivirus Scanning](#enable-windows-defender-antivirus-scanning) | Enable Windows Defender Antivirus scanning for real-time protection or scheduled scans.| +| [Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals) | Block USB files that are unsigned or untrusted. | +| [Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks) | Configure settings to protect against DMA attacks. | >[!NOTE] >Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. @@ -76,7 +236,7 @@ Protecting authorized removable storage with Windows Defender Antivirus requires End-users might plug in removable devices that are infected with malware. To prevent infections, a company can block USB files that are unsigned or untrusted. -Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. +Alternatively, companies can leverage the audit feature of [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. @@ -122,142 +282,15 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) -### Restrict USB Drives and Other Peripherals +## Create customized alerts and response actions -To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals. - - Control | Description --|- - Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types - Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types - -All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates: - - - ->[!Note] ->Using Intune, you can apply device configuration policies to AAD user and/or device groups. -The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)). - -> [!Note] -> Always test and refine these settings with a pilot group of users and devices first before applying them in production. -For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). - -### Allow installation and usage of USB drives and other peripherals - -One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals. - ->[!Note] ->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. -> ->1. Enable **prevent installation of devices not described by other policy settings** to all users. ->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). -To enforce the policy for already installed devices, apply the prevent policies that have this setting. - -When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection. - - - -In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes). - - - -If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example, - -1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup** -2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs** - -> [!Note] -> How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy. - ->Using PowerShell: Get-WMIObject -Class Win32_DiskDrive | -Select-Object -Property * ->For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers) - -### Prevent installation and usage of USB drives and other peripherals - -If you want to prevent a device class or certain devices, you can use the prevent device installation policies. - -1. Enable **Prevent installation of devices that match any of these device IDs**. -2. Enable the **Prevent installation of devices that match these device setup classes policy**. - -> [!Note] -> The prevent device installation policies take precedence over the allow device installation policies. - -### Block installation and usage of removable storage - -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). -2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. - -  - -3. Use the following settings: - - - Name: Type a name for the profile - - Description: Type a description - - Platform: Windows 10 and later - - Profile type: Device restrictions - -  - -4. Click **Configure** > **General**. - -5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. - -  - -6. Click **OK** to close **General** settings and **Device restrictions**. - -7. Click **Create** to save the profile. - -### Only allow installation and usage of specifically approved peripherals - -Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. - -For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). -Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). - -### Prevent installation of specifically prohibited peripherals - -Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options: - -- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. -- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). - -### Security Baseline - -The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings. - - - -### Bluetooth - -Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. - - - -## Respond to threats - -You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors. - -For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine. - -## Detect plug and play connected events - -You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. -For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). - -Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration. - -### Custom Alerts and Response Actions - -You can create custom alerts and response actions with the WDATP Connector and the Custom Detection Rules: +You can create custom alerts and response actions with the WDATP Connector and the custom detection rules: **Wdatp Connector response Actions:** **Investigate:** Initiate investigations, collect investigation package, and isolate a machine. -**Threat Scanning** on USB devices +**Threat Scanning** on USB devices. **Restrict execution of all applications** on the machine except a predefined set MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built. @@ -267,6 +300,14 @@ MDATP connector is one of over 200 pre-defined connectors including Outlook, Tea Both machine and file level actions can be applied. - [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) +For information on device control related advance hunting events and examples on how to create custom alerts, see [Advanced hunting updates: USB events, machine-level actions, and schema changes](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Advanced-hunting-updates-USB-events-machine-level-actions-and/ba-p/824152). + +## Respond to threats + +You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors. + +For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine. + ## Related topics - [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) diff --git a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png new file mode 100644 index 0000000000..c2cec3aca1 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png differ diff --git a/windows/security/threat-protection/device-control/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png index e95c44f251..4bf90b2b8a 100644 Binary files a/windows/security/threat-protection/device-control/images/admintemplates.png and b/windows/security/threat-protection/device-control/images/admintemplates.png differ diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg index fd0666ef4c..cd814377be 100644 Binary files a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg and b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg differ diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png index 089a1b70fe..4743358c57 100644 Binary files a/windows/security/threat-protection/device-control/images/devicesbyconnection.png and b/windows/security/threat-protection/device-control/images/devicesbyconnection.png differ diff --git a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png new file mode 100644 index 0000000000..55be4d714a Binary files /dev/null and b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index e8fd745ba1..2904a8e60e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. +The AlertEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -47,8 +47,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Table | string | Table that contains the details of the event | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 75465b34a5..5acedaa5f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -1,55 +1,50 @@ --- title: Advanced hunting best practices in Microsoft Defender ATP description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data. -keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics +keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, kusto search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/24/2018 +ms.topic: article +ms.date: 09/25/2019 --- -# Advanced hunting query best practices in Microsoft Defender ATP +# Advanced hunting query best practices **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) -## Performance best practices -The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. -- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set. -- Use time filters first. Ideally, limit your queries to 7 days. +## Optimize query performance +Apply the recommendations to get results faster and avoid timeouts while running complex queries: +- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`. +- Use time filters first. Ideally, limit your queries to seven days. - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. - Use the `has` operator over `contains` when looking for full tokens. -- Use looking in specific column rather than using full text search across all columns. -- When joining between two tables, specify the table with fewer rows first. -- When joining between two tables, project only needed columns from both sides of the join. +- Look in a specific column rather than running full text searches across all columns. +- When joining tables, specify the table with fewer rows first. +- `project` only the necessary columns from tables you've joined. ->[!Tip] +>[!TIP] >For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices). ## Query tips and pitfalls -### Using process IDs -Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process. -To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. +### Queries with process IDs +Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). -So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`) +The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. -The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. - -Example query: ``` NetworkCommunicationEvents | where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4) @@ -59,22 +54,19 @@ NetworkCommunicationEvents The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. -### Using command lines - +### Queries with command lines Command lines can vary. When applicable, filter on file names and do fuzzy matching. -There are numerous ways to construct a command line to accomplish a task. +There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces. -For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more. +To create more durable queries using command lines, apply the following practices: -To create more durable queries using command lines, we recommended the following guidelines: - -- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field. -- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. +- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field. +- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. - Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs` -- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones. +- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones. -The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: +The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: ``` // Non-durable query - do not use @@ -93,4 +85,9 @@ ProcessCreationEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) \ No newline at end of file +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) + +## Related topics +- [Advanced hunting overview](overview-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md index 2b414ee047..04b9c39707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. +The FileCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -73,8 +73,6 @@ For information on other tables in the Advanced hunting schema, see [the Advanc | IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md index 160e833850..6f682f0578 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. +The ImageLoadEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -59,8 +59,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md index c5279cdd3d..0ef85d6027 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. +The LogonEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -67,8 +67,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md index abe7b49af5..5dd8272cc3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The MachineInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -48,8 +48,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md index 717019c475..6ed1b6e9b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The MachineNetworkInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -49,8 +49,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md index deeef6fd8a..6a3f93d80f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The MiscEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -80,8 +80,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md index 9427ce74c8..b1f12de327 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. +The NetworkCommunicationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -63,8 +63,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md index 43a0651a0f..84aeeafcd5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. +The ProcessCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -71,8 +71,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md index 140286d974..88124e8c37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md @@ -8,27 +8,26 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 09/25/2019 --- -# Advanced hunting reference in Microsoft Defender ATP +# Understand the Advanced hunting schema **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -## Advanced hunting table reference +## Schema tables -The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. +The [Advanced hunting](overview-hunting.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table. @@ -48,6 +47,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | ## Related topics - -- [Query data using Advanced hunting](advanced-hunting.md) -- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md) +- [Advanced hunting overview](overview-hunting.md) +- [Learn the query language](advanced-hunting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md index 3099373d13..b5150e366e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. +The RegistryEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -61,8 +61,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Learn the query language](advanced-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md new file mode 100644 index 0000000000..a7f66ba422 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -0,0 +1,64 @@ +--- +title: Use shared queries in advanced hunting +description: Take advantage of shared advanced hunting queries. Share your queries to the public or to your organization. +keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto, github repo +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/25/2019 +--- + +# Use shared queries in Advanced hunting + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +[Advanced hunting](overview-hunting.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch. + + + +## Save, modify, and share a query +You can save a new or existing query so that it is only accessible to you or shared with other users in your organization. + +1. Type a new query or load an existing one from under **Shared queries** or **My queries**. + +2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**. + +3. Enter a name for the query. + +  + +4. Select the folder where you'd like to save the query. + - **Shared queries** — shared to all users in the your organization + - **My queries** — accessible only to you + +5. Select **Save**. + +## Delete or rename a query +1. Right-click on a query you want to rename or delete. + +  + +2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query. + +## Access queries in the GitHub repository +Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). + +>[!TIP] +>Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center. + +## Related topics +- [Advanced hunting overview](overview-hunting.md) +- [Learn the query language](advanced-hunting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md index 9ce09a700b..6ef8ce1994 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md @@ -1,153 +1,143 @@ --- -title: Query data using Advanced hunting in Microsoft Defender ATP -description: Learn about Advanced hunting in Microsoft Defender ATP and how to query ATP data. -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics +title: Learn the Advanced hunting query language +description: Get an overview of the common operators and other aspects of the Advanced hunting query language you can use to formulate queries +keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 08/15/2018 +ms.date: 09/25/2019 --- -# Query data using Advanced hunting in Microsoft Defender ATP +# Learn the Advanced hunting query language + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query. -To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax. +## Try your first query - +In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example: -## Use advanced hunting to query data +``` +// Finds PowerShell execution events that could involve a download. +ProcessCreationEvents +| where EventTime > ago(7d) +| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") +| where ProcessCommandLine has "Net.WebClient" + or ProcessCommandLine has "DownloadFile" + or ProcessCommandLine has "Invoke-WebRequest" + or ProcessCommandLine has "Invoke-Shellcode" + or ProcessCommandLine contains "http:" +| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by EventTime' +``` -A typical query starts with a table name followed by a series of operators separated by **|**. - -In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed. +This is how it will look like in Advanced hunting.  -First, we define a time filter to review only records from the previous seven days. +### Describe the query and specify the table to search +The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization. -We then add a filter on the _FileName_ to contain only instances of _powershell.exe_. +``` +// Finds PowerShell execution events that could involve a download. +ProcessCreationEvents +``` -Afterwards, we add a filter on the _ProcessCommandLine_. +The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed. -Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. +### Set the time range +The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. -You have the option of expanding the screen view so you can focus on your hunting query and related results. +``` +| where EventTime > ago(7d) +``` +### Search for specific executable files +The time range is immediately followed by a search for files representing the PowerShell application. -### Use operators -The query language is very powerful and has a lot of available operators, some of them are - +``` +| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") +``` +### Search for specific command lines +Afterwards, the query looks for command lines that are typically used with PowerShell to download files. -- **where** - Filter a table to the subset of rows that satisfy a predicate. -- **summarize** - Produce a table that aggregates the content of the input table. -- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. -- **count** - Return the number of records in the input record set. -- **top** - Return the first N records sorted by the specified columns. -- **limit** - Return up to the specified number of rows. -- **project** - Select the columns to include, rename or drop, and insert new computed columns. -- **extend** - Create calculated columns and append them to the result set. -- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group -- **find** - Find rows that match a predicate across a set of tables. +``` +| where ProcessCommandLine has "Net.WebClient" + or ProcessCommandLine has "DownloadFile" + or ProcessCommandLine has "Invoke-WebRequest" + or ProcessCommandLine has "Invoke-Shellcode" + or ProcessCommandLine contains "http:" +``` +### Select result columns and length +Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process. -To see a live example of these operators, run them as part of the **Get started** section. +``` +| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by EventTime' +``` + +Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. + +## Learn common query operators for Advanced hunting + +Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones. + +| Operator | Description and usage | +|--|--| +| **where** | Filter a table to the subset of rows that satisfy a predicate. | +| **summarize** | Produce a table that aggregates the content of the input table. | +| **join** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. | +| **count** | Return the number of records in the input record set. | +| **top** | Return the first N records sorted by the specified columns. | +| **limit** | Return up to the specified number of rows. | +| **project** | Select the columns to include, rename or drop, and insert new computed columns. | +| **extend** | Create calculated columns and append them to the result set. | +| **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. | +| **find** | Find rows that match a predicate across a set of tables. | + +To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page. + +## Understand data types + +Data in Advanced hunting tables are generally classified into the following data types. + +| Data type | Description and query implications | +|--|--| +| **datetime** | Data and time information typically representing event timestamps | +| **string** | Character string | +| **bool** | True or false | +| **int** | 32-bit numeric value | +| **long** | 64-bit numeric value | + +## Use sample queries + +The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them. + + + +>[!NOTE] +>Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. ## Access query language documentation -For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language). - -## Use exposed tables in Advanced hunting - -The following tables are exposed as part of Advanced hunting: - -- **AlertEvents** - Alerts on Microsoft Defender Security Center -- **MachineInfo** - Machine information, including OS information -- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains -- **ProcessCreationEvents** - Process creation and related events -- **NetworkCommunicationEvents** - Network connection and related events -- **FileCreationEvents** - File creation, modification, and other file system events -- **RegistryEvents** - Creation and modification of registry entries -- **LogonEvents** - Login and other authentication events -- **ImageLoadEvents** - DLL loading events -- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts - -These tables include data from the last 30 days. - -## Use shared queries -Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. - - - -You can save, edit, update, or delete queries. - -### Save a query -You can create or modify a query and save it as your own query or share it with users who are in the same tenant. - -1. Create or modify a query. - -2. Click the **Save query** drop-down button and select **Save as**. - -3. Enter a name for the query. - -  - -4. Select the folder where you'd like to save the query. - - Shared queries - Allows other users in the tenant to access the query - - My query - Accessible only to the user who saved the query - -5. Click **Save**. - -### Update a query -These steps guide you on modifying and overwriting an existing query. - -1. Edit an existing query. - -2. Click the **Save**. - -### Delete a query -1. Right-click on a query you want to delete. - -  - -2. Select **Delete** and confirm that you want to delete the query. - -## Result set capabilities in Advanced hunting - -The result set has several capabilities to provide you with effective investigation, including: - -- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center. -- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. - - - -## Filter results in Advanced hunting -In Advanced hunting, you can use the advanced filter on the output result set of the query. -The filters provide an overview of the result set where -each column has it's own section and shows the distinct values that appear in the column and their prevalence. - -You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**. - - - -The filter selections will resolve as an additional query term and the results will be updated accordingly. - - - -## Public Advanced hunting query GitHub repository -Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. - +For more information on Kusto query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/kusto/query/). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) -## Related topic -- [Advanced hunting reference](advanced-hunting-reference.md) -- [Advanced hunting query language best practices](advanced-hunting-best-practices.md) +## Related topics +- [Advanced hunting overview](overview-hunting.md) +- [Understand the schema](advanced-hunting-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index bd14cbf032..2c44e8cfe9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -39,7 +39,7 @@ Method|Return Type |Description Property | Type | Description :---|:---|:--- id | String | Alert ID. -incidentId | String | The [Incident](view-incidents-queue.md) ID of the Alert. +incidentId | String | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. assignedTo | String | Owner of the alert. severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 311f6803b0..a858f74cac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -12,7 +12,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/07/2019 ms.reviewer: manager: dansimp --- @@ -28,7 +27,7 @@ manager: dansimp Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -36,17 +35,17 @@ Attack surface reduction rules target behaviors that malware and malicious apps * Obfuscated or otherwise suspicious scripts * Behaviors that apps don't usually initiate during normal day-to-day work -You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Microsoft Security Center +## Review attack surface reduction events in the Microsoft Defender Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: @@ -208,7 +207,7 @@ This rule blocks the following file types from launching unless they either meet * Executable files (such as .exe, .dll, or .scr) > [!NOTE] -> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. > [!IMPORTANT] > The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. @@ -228,7 +227,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. > [!NOTE] -> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -329,4 +328,4 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index fac075a33c..4eafbbefa8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -53,7 +53,7 @@ The goal is to remediate the issues in the security recommendations list to impr See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) @@ -62,8 +62,6 @@ See how you can [improve your security configuration](https://docs.microsoft.com >To download the security updates: >1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). >2. Key-in the security update KB number that you need to download, then click **Search**. -> ->Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019. ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 3974d3dc84..484a763167 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -57,7 +57,7 @@ From the device compliance page, create a configuration profile specifically for - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. - Create the device configuration profile from scratch. -For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). +For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 2e925f762d..010274d097 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -33,8 +33,10 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. -> [!NOTE] -> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. +#### Required columns in the query results +To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. + +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. @@ -112,3 +114,5 @@ You can also take the following actions on the rule from this page: ## Related topic - [Custom detections overview](overview-custom-detections.md) +- [Advanced hunting overview](overview-hunting.md) +- [Learn the Advanced hunting query language](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png new file mode 100644 index 0000000000..c245c9e9fb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png index c8c053fd44..495ac3cb26 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png new file mode 100644 index 0000000000..93931e9013 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index b78325e026..379a0c8d3e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -78,7 +78,6 @@ You can click the circles on the incident graph to view the details of the malic  ## Related topics -- [View and organize the Incidents queue](view-incidents-queue.md) -- [Manage incidents](manage-incidents.md) - - +- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) +- [Investigate incidents in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents) +- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 6f2cd9df63..56e0d4eeb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -60,6 +60,6 @@ Added comments instantly appear on the pane. ## Related topics -- [Incidents queue](incidents-queue.md) +- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) - [View and organize the Incidents queue](view-incidents-queue.md) - [Investigate incidents](investigate-incidents.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index e4f3194e93..57782a8e2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -37,6 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 +- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 8398ee9986..425427b295 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -28,11 +28,12 @@ With custom detections, you can proactively monitor for and respond to various e Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. Custom detections provide: -- Alerts from rule-based detections built from Advanced hunting queries +- Alerts for rule-based detections built from Advanced hunting queries - Automatic response actions that apply to files and machines >[!NOTE] >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Related topic -- [Create and manage custom detection rules](custom-detection-rules.md) \ No newline at end of file +- [Create and manage custom detection rules](custom-detection-rules.md) +- [Advanced hunting overview](overview-hunting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 8343dc2003..4c4cf5edcf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -37,7 +37,7 @@ The response capabilities give you the power to promptly remediate threats by ac Topic | Description :---|:--- [Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed. -[Incidents queue](incidents-queue.md) | View and organize the incidents queue, and manage and investigate alerts. +[Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) | View and organize the incidents queue, and manage and investigate alerts. [Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts. [Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time. [Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md index 3d1b55266e..ab47dc3981 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md @@ -1,40 +1,72 @@ --- -title: Overview of advanced hunting capabilities +title: Overview of Advanced hunting description: Hunt for possible threats across your organization using a powerful search and query tool -keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry +keywords: advanced hunting, hunting, search, query, tool, telemetry, custom detection, schema, kusto search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual +ms.topic: article --- -# Overview of advanced hunting +# Proactively hunt for threats with Advanced hunting **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center. +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -With advanced hunting, you can take advantage of the following capabilities: +Advanced hunting provides access to 30 days of raw data through a flexible query-based interface, allowing you to proactively explore events in your environment and locate interesting indicators and entities. This flexible access to data enables unconstrained hunting for both known and potential threats. -- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level. -- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types. -- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience. -- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language. +With custom detection rules, you can also use Advanced hunting queries to proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. -## In this section -Topic | Description -:---|:--- -[Query data using Advanced hunting](advanced-hunting.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. -[Custom detections](overview-custom-detections.md)| With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. +## Get started with Advanced hunting +We recommend going through several steps to quickly get up and running with Advanced hunting. +| Learning goal | Description | Resource | +|--|--|--| +| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting.md) | +| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-reference.md) | +| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | +| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) | +## Get help as you write queries +Take advantage of the following functionality to write queries faster: +- **Autosuggest** — as you write queries, Advanced hunting provides suggestions. +- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor. + +## Drilldown from query results +To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center. + +## Tweak your queries from the results +Right-click a value in the result set to quickly enhance your query. You can use the options to: + +- Explicitly look for the selected value (`==`) +- Exclude the selected value from the query (`!=`) +- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` + + + +## Filter the query results +The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances. + +Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude. + + + +Once you apply the filter to modify the query and then run the query, the results are updated accordingly. + +## Related topics +- [Learn the query language](advanced-hunting.md) +- [Use shared queries](advanced-hunting-shared-queries.md) +- [Understand the schema](advanced-hunting-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index 7a1c0650f9..9a9fa6e53c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -141,7 +141,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t  -4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder. +4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`. 5. Copy WDATPDataConnector.mez from the zip to the directory you just created. @@ -150,6 +150,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t 7. Click **File** > **Options and settings** > **Custom data connectors**. 8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**. + + > [!NOTE] + > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**". >[!NOTE] >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index d63d1f4ea5..f7512247e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -29,21 +29,19 @@ Ensure that your machines: >[!NOTE] >Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. -- Have the following mandatory updates installed: -- (1) RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) -- (2) RS4 customers | [KB4493464](https://support.microsoft.com/help/4493464) +- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: + +> Release | Security update KB number and link +> :---|:--- +> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) +> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) +> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) + - Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905 - Have at least one security recommendation that can be viewed in the machine page - Are tagged or marked as co-managed ->[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network: ->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) ->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) ->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) ->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) ->
Downloading and deploying the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019. - ## Reduce your threat and vulnerability exposure Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index bb9f499cd3..e2615c2319 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -26,12 +26,11 @@ Threat & Vulnerability Management leverages the same signals in Microsoft Defend The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) ->
Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
## Navigate through your organization's weaknesses page
You can see the list of vulnerabilities in four ways:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index c3753c466c..4bda743be9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -64,7 +64,7 @@ You can choose to limit the list of incidents shown based on their status to see
Use this filter to show incidents that contain sensitivity labels.
## Related topics
-- [Incidents queue](incidents-queue.md)
+- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)
- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 8ce51363fd..f9421d02f6 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -31,9 +31,7 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
- - Windows 10 Version 1703 (Creators Update)
- Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1511 (November Update)
- Windows 10 Version 1507
- Windows Server security baselines
@@ -42,7 +40,7 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
+ - Office365 ProPlus (Sept 2019)
- Tools
- Policy Analyzer tool
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index 3c9a703853..f740ced849 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -25,7 +25,8 @@ ms.date: 04/19/2017
An overview of account policies in Windows and provides links to policy descriptions.
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
-> **Note:** Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
+> [!NOTE]
+> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 090bb9f3bf..82dc9c1898 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -84,6 +84,9 @@ Settings are applied in the following order through a Group Policy Object (GPO),
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+> [!NOTE]
+> More information about configuring the policy can be found [here](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index ba47760e7f..5760e380c9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---
@@ -36,12 +35,16 @@ The utility has the following commands:
```DOS
MpCmdRun.exe [command] [-options]
```
+For example,
+```
+MpCmdRun.exe -scan -2
+```
| Command | Description |
|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
| \-? **or** -h | Displays all available options for this tool |
-| \-Scan [-ScanType #] [-File \
->[!Note]
->This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+> [!Note]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow additional code to run by design.
These types of applications should be blocked by your Windows Defender Application Control policy.
@@ -88,7 +89,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
- msxml6.dll
- jscript9.dll
-Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
```xml
@@ -888,9 +889,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+> [!Note]
+> To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
+
+## More information
+
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index cde7dc4fc5..15c54f8ada 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -34,7 +34,7 @@ Select Windows Defender Firewall.
## Firewall rule components
-The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp).
+The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index a4d7f249b4..57292a294e 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -89,6 +89,9 @@ First, create the WMI filter and configure it to look for a specified version (o
10. Click **Save** to save your completed filter.
+> [!NOTE]
+> If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied.
+
## To link a WMI filter to a GPO
After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index e59d8d582b..30b70df2a4 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -20,8 +20,8 @@ ms.reviewer:
**Applies to**
- Windows 10
-- Windows Server 2016
-- Office 2016
+- Windows Server
+- Office 365 ProPlus
## Using security baselines in your organization