**Customize Internet Explorer 11**
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after deployment.
Download IEAK 11
IEAK 11 user's guide
Frequently asked questions about IEAK 11
Customization and distribution guidelines
**Install Internet Explorer 11**
Explore the different options for installation.
Through Automatic Updates (recommended)
As part of an operating system deployment
Over the network
With System Center 2012 R2 Configuration Manager
With Windows Server Update Services (WSUS)
With Microsoft Intune
With third-party tools
**Customize Internet Explorer 11** The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after deployment. Download IEAK 11 IEAK 11 user's guide Frequently asked questions about IEAK 11 Customization and distribution guidelines | **Install Internet Explorer 11** Explore the different options for installation. Through Automatic Updates (recommended) As part of an operating system deployment Over the network With System Center 2012 R2 Configuration Manager With Windows Server Update Services (WSUS) With Microsoft Intune With third-party tools |
-
 **Enforce settings with Group Policy** Learn how to use Group Policy to enforce settings on the computers in your organization. Group Policy for beginners New Group Policy settings for IE11 Administrative templates for IE11 |  **Standardize with Group Policy preferences** Group Policy preferences simplify deployment and standardize configurations, but unlike Group Policy, they can later be changed by users. Group Policy preferences for IE11 Configure Group Policy preferences | ||||||
 **Blocked out-of-date ActiveX controls** Find out more about the out-of-date ActiveX control blocking security feature available in Internet Explorer. Blocked out-of-date ActiveX controls Out-of-date ActiveX control blocking Update to block out-of-date ActiveX controls in Internet Explorer |  **Scripts for IT professionals** Find scripts to help you save time and automate common tasks. Batch loop: Check is a process running, if yes, wait in loop Script to join user to AD with automatic Local user Profile Migration Find-IE Citrix receiver Version See all scripts |
**Enforce settings with Group Policy** Learn how to use Group Policy to enforce settings on the computers in your organization. Group Policy for beginners New Group Policy settings for IE11 Administrative templates for IE11 | **Standardize with Group Policy preferences** Group Policy preferences simplify deployment and standardize configurations, but unlike Group Policy, they can later be changed by users. Group Policy preferences for IE11 Configure Group Policy preferences |
**Blocked out-of-date ActiveX controls** Find out more about the out-of-date ActiveX control blocking security feature available in Internet Explorer. Blocked out-of-date ActiveX controls Out-of-date ActiveX control blocking Update to block out-of-date ActiveX controls in Internet Explorer | **Scripts for IT professionals** Find scripts to help you save time and automate common tasks. Batch loop: Check is a process running, if yes, wait in loop Script to join user to AD with automatic Local user Profile Migration Find-IE Citrix receiver Version See all scripts |
Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
Added new policies.
Added a new section:
-
-
- Policies supported by GP - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name. +
- Policies supported by Group Policy - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 3a99871ce8..5d76f3ae08 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman +ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: manager: dansimp @@ -107,8 +108,8 @@ The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the - \
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index bc9f5c1927..330b5e5bf5 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -132,9 +132,9 @@ Here is an example: ```
Intel- https://ekop.intel.com/ekcertservice +
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1 +
AMD- https://ftpm.amd.com/pki/aia
-[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) +--- +title: Overview of Windows Autopilot +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Overview of Windows Autopilot + +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram: + +  + +When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. + +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. + +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription for configuration*](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Windows-10-Azure-AD-and-Microsoft-Intune-Automatic-MDM/ba-p/244067)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. + +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + + + + + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements. + +## Related topics + +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
+[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml index e858c87806..1504e2cae3 100644 --- a/windows/hub/windows-10.yml +++ b/windows/hub/windows-10.yml @@ -33,7 +33,7 @@ sections: - type: markdown text: " Learn about the latest releases and servicing options.
-
 | What's new in Windows 10, version 1809 What's new in Windows 10, version 1803 What's new in Windows 10, version 1709 Windows 10 release information Windows 10 update history Windows 10 roadmap |
| What's new in Windows 10, version 1809 What's new in Windows 10, version 1803 What's new in Windows 10, version 1709 Windows 10 release information Windows 10 update history Windows 10 roadmap |
-
| Windows 10 FAQ for IT Pros Windows 10 forums Windows 10 TechCommunity Which edition is right for your organization? Infrastructure requirements What's Windows as a service? Windows 10 Mobile deployment and management guide |  |
**In-place upgrade** The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT | **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT | ||
 **Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar |  Windows deployment for education environmentsSet up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
**In-place upgrade** The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT | **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT |
**Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar | Windows deployment for education environments Set up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
-
**Manage Windows 10 updates** Get best practices and tools to help you manage clients and apps. Manage clients in Windows 10 Manage apps and features in Windows 10 | **Security** Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats. Windows 10 enterprise security Threat protection Identity protection Information protection |
**Manage Windows 10 updates** Get best practices and tools to help you manage clients and apps. Manage clients in Windows 10 Manage apps and features in Windows 10 | **Security** Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats. Windows 10 enterprise security Threat protection Identity protection Information protection |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | October 08, 2019 10:00 AM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | OS Build 10240.18305 August 13, 2019 KB4512497 | Resolved KB4517276 | August 17, 2019 02:00 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later. See details > | OS Build 10240.18244 June 11, 2019 KB4503291 | Resolved External | August 09, 2019 07:03 PM PT |
| Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close. See details > | OS Build 10240.18244 June 11, 2019 KB4503291 | Resolved KB4507458 | July 09, 2019 10:00 AM PT |
| Unable to access some gov.uk websites gov.uk websites that don’t support “HSTS” may not be accessible See details > | OS Build 10240.18215 May 14, 2019 KB4499154 | Resolved KB4505051 | May 19, 2019 02:00 PM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 10240.18132 February 12, 2019 KB4487018 | Resolved KB4493475 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 10240.18094 January 08, 2019 KB4480962 | Resolved KB4493475 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 10240.18158 March 12, 2019 KB4489872 | Resolved KB4493475 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524153. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520011. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505051) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505051 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505051, search for it in the Microsoft Update Catalog.
Back to top
May 14, 2019
KB4499154
KB4505051
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489872, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer. Affected platforms:
Resolution: This issue was resolved in KB4493475. Back to top | OS Build 10240.18158 March 12, 2019 KB4489872 | Resolved KB4493475 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493475. Back to top | OS Build 10240.18132 February 12, 2019 KB4487018 | Resolved KB4493475 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| MSXML6 may cause applications to stop responding After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493475. Back to top | OS Build 10240.18094 January 08, 2019 KB4480962 | Resolved KB4493475 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | September 17, 2019 04:47 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | September 10, 2019 10:00 AM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 14393.3115 July 16, 2019 KB4507459 | Resolved KB4512517 | August 13, 2019 10:00 AM PT |
| Unable to access some gov.uk websites gov.uk websites that don’t support “HSTS” may not be accessible See details > | OS Build 14393.2969 May 14, 2019 KB4494440 | Resolved KB4505052 | May 19, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 14393.2941 April 25, 2019 KB4493473 | Resolved KB4494440 | May 14, 2019 10:00 AM PT |
| Zone transfers over TCP may fail Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail. See details > | OS Build 14393.2941 April 25, 2019 KB4493473 | Resolved KB4494440 | May 14, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 14393.2791 February 12, 2019 KB4487026 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. See details > | OS Build 14393.2879 March 19, 2019 KB4489889 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 14393.2848 March 12, 2019 KB4489882 | Resolved KB4493473 | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524152. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519998. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Issue using PXE to start a device from WDS After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. Affected platforms:
Resolution: This issue was resolved in KB4503267. Back to top | OS Build 14393.2848 March 12, 2019 KB4489882 | Resolved KB4503267 | Resolved: June 11, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue was resolved in KB4493470. Back to top | OS Build 14393.2879 March 19, 2019 KB4489889 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: March 19, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493473. Back to top | OS Build 14393.2848 March 12, 2019 KB4489882 | Resolved KB4493473 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493470. Back to top | OS Build 14393.2791 February 12, 2019 KB4487026 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue was resolved in KB4493470. Back to top | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493470. Back to top | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | September 17, 2019 04:47 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 15063.1955 July 16, 2019 KB4507467 | Resolved KB4512507 | August 13, 2019 10:00 AM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | OS Build 15063.1988 August 13, 2019 KB4512507 | Resolved KB4512474 | August 17, 2019 02:00 PM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed. See details > | OS Build 15063.1839 May 28, 2019 KB4499162 | Resolved KB4503279 | June 11, 2019 10:00 AM PT |
| Unable to access some gov.uk websites gov.uk websites that don’t support “HSTS” may not be accessible See details > | OS Build 15063.1805 May 14, 2019 KB4499181 | Resolved KB4505055 | May 19, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 15063.1784 April 25, 2019 KB4493436 | Resolved KB4499181 | May 14, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 15063.1631 February 12, 2019 KB4487020 | Resolved KB4493474 | April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 15063.1716 March 19, 2019 KB4489888 | Resolved KB4493474 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 15063.1563 January 08, 2019 KB4480973 | Resolved KB4493474 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 15063.1689 March 12, 2019 KB4489871 | Resolved KB4493436 | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524151. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520010. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue was resolved in KB4493474. Back to top | OS Build 15063.1716 March 19, 2019 KB4489888 | Resolved KB4493474 | Resolved: April 09, 2019 10:00 AM PT Opened: March 19, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493436. Back to top | OS Build 15063.1689 March 12, 2019 KB4489871 | Resolved KB4493436 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493474. Back to top | OS Build 15063.1631 February 12, 2019 KB4487020 | Resolved KB4493474 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| MSXML6 may cause applications to stop responding After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493474. Back to top | OS Build 15063.1563 January 08, 2019 KB4480973 | Resolved KB4493474 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 16299.1296 July 16, 2019 KB4507465 | Resolved KB4512516 | August 13, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | OS Build 16299.1217 June 11, 2019 KB4503284 | Resolved KB4512494 | August 16, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 16299.1127 April 25, 2019 KB4493440 | Resolved KB4499179 | May 14, 2019 10:00 AM PT |
| Zone transfers over TCP may fail Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail. See details > | OS Build 16299.1127 April 25, 2019 KB4493440 | Resolved KB4499179 | May 14, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493440 | April 25, 2019 02:00 PM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 16299.967 February 12, 2019 KB4486996 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 16299.1059 March 19, 2019 KB4489890 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| MSXML6 causes applications to stop responding if an exception was thrown MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 16299.904 January 08, 2019 KB4480978 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting. See details > | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524150. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520004. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493440. Back to top | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493440 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.1059 March 19, 2019 KB4489890 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: March 19, 2019 10:00 AM PT |
| Stop error when attempting to start SSH from WSL After applying KB4489886, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.967 February 12, 2019 KB4486996 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| MSXML6 causes applications to stop responding if an exception was thrown After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.904 January 08, 2019 KB4480978 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17134.915 July 16, 2019 KB4507466 | Resolved KB4512501 | August 13, 2019 10:00 AM PT |
| Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\" See details > | N/A | Resolved | September 03, 2019 12:32 PM PT |
| Unable to access some gov.uk websites gov.uk websites that don’t support “HSTS” may not be accessible See details > | OS Build 17134.765 May 14, 2019 KB4499167 | Resolved KB4505064 | May 19, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 17134.753 April 25, 2019 KB4493437 | Resolved KB4499167 | May 14, 2019 10:00 AM PT |
| Zone transfers over TCP may fail Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail. See details > | OS Build 17134.753 April 25, 2019 KB4493437 | Resolved KB4499167 | May 14, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 17134.590 February 12, 2019 KB4487017 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 17134.677 March 19, 2019 KB4489894 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 17134.523 January 08, 2019 KB4480966 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493437 | April 25, 2019 02:00 PM PT |
| Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting. See details > | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524149. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520008. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516058, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification. Affected platforms:
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes. Back to top | N/A | Resolved | Resolved: September 03, 2019 12:32 PM PT Opened: September 03, 2019 12:32 PM PT |
| Details | Originating update | Status | History |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue was resolved in KB4493464. Back to top | OS Build 17134.677 March 19, 2019 KB4489894 | Resolved KB4493464 | Resolved: April 09, 2019 10:00 AM PT Opened: March 19, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493437. Back to top | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493437 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Stop error when attempting to start SSH from WSL After applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting. Affected platforms:
Resolution: This issue was resolved in KB4493464. Back to top | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493464 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493464. Back to top | OS Build 17134.590 February 12, 2019 KB4487017 | Resolved KB4493464 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| MSXML6 may cause applications to stop responding After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493464. Back to top | OS Build 17134.523 January 08, 2019 KB4480966 | Resolved KB4493464 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | October 08, 2019 10:00 AM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | September 24, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17763.652 July 22, 2019 KB4505658 | Resolved KB4511553 | August 13, 2019 10:00 AM PT |
| Latest cumulative update (KB 4495667) installs automatically Reports that the optional cumulative update (KB 4495667) installs automatically. See details > | OS Build 17763.475 May 03, 2019 KB4495667 | Resolved | May 08, 2019 03:37 PM PT |
| System may be unresponsive after restart if ArcaBit antivirus software installed After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 See details > | OS Build 17763.437 April 09, 2019 KB4493509 | Resolved | May 08, 2019 03:30 PM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 17763.379 March 12, 2019 KB4489899 | Resolved KB4495667 | May 03, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 17763.316 February 12, 2019 KB4487044 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 17763.404 April 02, 2019 KB4490481 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524148. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519338. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4512578, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| System may be unresponsive after restart if ArcaBit antivirus software installed ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server). Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart. Affected platforms:
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article. Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server). Back to top | OS Build 17763.437 April 09, 2019 KB4493509 | Resolved | Resolved: May 08, 2019 03:30 PM PT Opened: April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue was resolved in KB4493509. Back to top | OS Build 17763.404 April 02, 2019 KB4490481 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: April 02, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493509. Back to top | OS Build 17763.316 February 12, 2019 KB4487044 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue was resolved in KB4493509. Back to top | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493509. Back to top | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | October 08, 2019 10:00 AM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | September 26, 2019 02:00 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:08 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:58 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524147. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4517389. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels. Affected platforms:
Resolution: This issue was resolved in KB4517211. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | Resolved: September 26, 2019 02:00 PM PT Opened: September 13, 2019 05:25 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. Affected platforms:
Resolution: At this time, Microsoft has not found a Search or Start issue significantly impacting users originating from KB4515384. We will continue monitoring to ensure users have a high-quality experience when interacting with these areas. If you are currently having issues, we recommend you to take a moment to report it in via the Feedback Hub (Windows + F) then try the Windows 10 Troubleshoot settings (found in Settings). If you are having an issue with search, see Fix problems in Windows Search. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:58 PM PT Opened: September 11, 2019 05:18 PM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4524157 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4519976 | October 08, 2019 10:00 AM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll. See details > | August 13, 2019 KB4512506 | Resolved KB4516048 | September 24, 2019 10:00 AM PT |
| Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed See details > | August 13, 2019 KB4512506 | Resolved External | August 27, 2019 02:29 PM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503292 | Resolved KB4512514 | August 17, 2019 02:00 PM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Resolved | May 14, 2019 01:22 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Resolved | May 14, 2019 01:21 PM PT |
| Authentication may fail for services after the Kerberos ticket expires Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. See details > | March 12, 2019 KB4489878 | Resolved KB4499164 | May 14, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4486563 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart. See details > | April 09, 2019 KB4493472 | Resolved | April 25, 2019 02:00 PM PT |
| NETDOM.EXE fails to run NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen. See details > | March 12, 2019 KB4489878 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | March 12, 2019 KB4489878 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | January 08, 2019 KB4480970 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524157. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4524157 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4519976 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll. Affected platforms:
Resolution: This issue was resolved in KB4516048. Back to top | August 13, 2019 KB4512506 | Resolved KB4516048 | Resolved: September 24, 2019 10:00 AM PT Opened: September 10, 2019 09:48 AM PT |
| Details | Originating update | Status | History |
| Authentication may fail for services after the Kerberos ticket expires After installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails. Affected platforms:
Resolution: This issue was resolved in KB4499164. Back to top | March 12, 2019 KB4489878 | Resolved KB4499164 | Resolved: May 14, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| NETDOM.EXE fails to run After installing KB4489878, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears. Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | March 12, 2019 KB4489878 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489878, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | March 12, 2019 KB4489878 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | February 12, 2019 KB4486563 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | January 08, 2019 KB4480970 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4524156 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4520005 | October 08, 2019 10:00 AM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error. See details > | September 10, 2019 KB4516067 | Resolved KB4516041 | September 24, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503276 | Resolved KB4512478 | August 17, 2019 02:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | August 13, 2019 KB4512488 | Resolved KB4517298 | August 16, 2019 02:00 PM PT |
| System may be unresponsive after restart if ArcaBit antivirus software installed Devices with ArcaBit antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493446 | Resolved | May 14, 2019 01:22 PM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493446 | Resolved | May 14, 2019 01:22 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493446 | Resolved | May 14, 2019 01:21 PM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4487000 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart. See details > | April 09, 2019 KB4493446 | Resolved | April 25, 2019 02:00 PM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | March 12, 2019 KB4489881 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding. MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | January 08, 2019 KB4480963 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | January 08, 2019 KB4480963 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524156. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4524156 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4520005 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\" Affected platforms:
Resolution: This issue was resolved in KB4516041. Back to top | September 10, 2019 KB4516067 | Resolved KB4516041 | Resolved: September 24, 2019 10:00 AM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Issue using PXE to start a device from WDS After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. Affected platforms:
Resolution: This issue was resolved in KB4503276. Back to top | March 12, 2019 KB4489881 | Resolved KB4503276 | Resolved: June 11, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489881, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493446. Back to top | March 12, 2019 KB4489881 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms
Resolution: This issue is resolved in KB4493446. Back to top | February 12, 2019 KB4487000 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| MSXML6 may cause applications to stop responding. After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue is resolved in KB4493446. Back to top | January 08, 2019 KB4480963 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue is resolved in KB4493446. Back to top | January 08, 2019 KB4480963 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4524135 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4520002 | October 08, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503273 | Resolved KB4512499 | August 17, 2019 02:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | August 13, 2019 KB4512476 | Resolved KB4517301 | August 16, 2019 02:00 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later. See details > | June 11, 2019 KB4503273 | Resolved External | August 09, 2019 07:03 PM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493471 | Resolved | May 14, 2019 01:21 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493471 | Resolved | May 14, 2019 01:19 PM PT |
| Authentication may fail for services after the Kerberos ticket expires Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. See details > | March 12, 2019 KB4489880 | Resolved KB4499149 | May 14, 2019 10:00 AM PT |
| NETDOM.EXE fails to run NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen. See details > | March 12, 2019 KB4489880 | Resolved KB4493471 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4487023 | Resolved KB4493471 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524135. Back to top | September 24, 2019 KB4516030 | Resolved KB4524135 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516030 | Resolved KB4520002 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Details | Originating update | Status | History |
| Authentication may fail for services after the Kerberos ticket expires After installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails. Affected platforms:
Resolution: This issue was resolved in KB4499149. Back to top | March 12, 2019 KB4489880 | Resolved KB4499149 | Resolved: May 14, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| NETDOM.EXE fails to run After installing KB4489880, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears. Affected platforms:
Resolution: This issue is resolved in KB4493471. Back to top | March 12, 2019 KB4489880 | Resolved KB4493471 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms
Resolution: This issue is resolved in KB4493471. Back to top | February 12, 2019 KB4487023 | Resolved KB4493471 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Summary | Originating update | Status | Date resolved |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4524154 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4520007 | October 08, 2019 10:00 AM PT |
| Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\" See details > | June 11, 2019 KB4503285 | Resolved KB4512512 | August 17, 2019 02:00 PM PT |
| Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error. See details > | August 13, 2019 KB4512518 | Resolved KB4517302 | August 16, 2019 02:00 PM PT |
| MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later. See details > | June 11, 2019 KB4503285 | Resolved External | August 09, 2019 07:03 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | April 25, 2019 KB4493462 | Resolved KB4499171 | May 14, 2019 10:00 AM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493451 | Resolved | May 14, 2019 01:21 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493451 | Resolved | May 14, 2019 01:19 PM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4487025 | Resolved KB4493451 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | January 08, 2019 KB4480975 | Resolved KB4493451 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | January 08, 2019 KB4480975 | Resolved KB4493451 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524154. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4524154 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4520007 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
After installing KB4489891, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503285.
Back to top
KB4489891
KB4503285
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms
Resolution: This issue is resolved in KB4493451. Back to top | February 12, 2019 KB4487025 | Resolved KB4493451 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue is resolved in KB4493451. Back to top | January 08, 2019 KB4480975 | Resolved KB4493451 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue is resolved in KB4493451. Back to top | January 08, 2019 KB4480975 | Resolved KB4493451 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | October 08, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 10240.18094 January 08, 2019 KB4480962 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524153. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4524153 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520011. Back to top | OS Build 10240.18334 September 23, 2019 KB4522009 | Resolved KB4520011 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | September 17, 2019 04:47 PM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 14393.3053 June 18, 2019 KB4503294 | Resolved KB4516044 | September 10, 2019 10:00 AM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 14393.3115 July 16, 2019 KB4507459 | Resolved KB4512517 | August 13, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Mitigated | April 25, 2019 02:00 PM PT |
| Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM. See details > | OS Build 14393.2608 November 13, 2018 KB4467691 | Mitigated | February 19, 2019 10:00 AM PT |
| Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters. See details > | OS Build 14393.2639 November 27, 2018 KB4467684 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524152. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4524152 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519998. Back to top | OS Build 14393.3206 September 23, 2019 KB4522010 | Resolved KB4519998 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 14393.3204 September 10, 2019 KB4516044 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512517 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 14393.3115 July 16, 2019 KB4507459 | Resolved KB4512517 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
Current status as of August 23, 2019: The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018. There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats. To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
+ | Windows 10, version 1703 has reached end of service Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
|
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | September 17, 2019 04:47 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 15063.1955 July 16, 2019 KB4507467 | Resolved KB4512507 | August 13, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 15063.1563 January 08, 2019 KB4480973 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524151. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4524151 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520010. Back to top | OS Build 15063.2046 September 23, 2019 KB4522011 | Resolved KB4520010 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: After investigation, we have found that this issue does not affect this version of Windows. Back to top | OS Build 15063.2045 September 10, 2019 KB4516068 | Resolved | Resolved: September 17, 2019 04:47 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512507 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 15063.1955 July 16, 2019 KB4507467 | Resolved KB4512507 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | September 19, 2019 04:08 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 16299.1296 July 16, 2019 KB4507465 | Resolved KB4512516 | August 13, 2019 10:00 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 16299.904 January 08, 2019 KB4480978 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524150. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4524150 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520004. Back to top | OS Build 16299.1392 September 23, 2019 KB4522012 | Resolved KB4520004 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 16299.1387 September 10, 2019 KB4516066 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512516 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 16299.1296 July 16, 2019 KB4507465 | Resolved KB4512516 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | October 08, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | September 19, 2019 04:08 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not respond to \"wake up\" from sleep. See details > | OS Build 17134.950 August 13, 2019 KB4512501 | Mitigated | September 11, 2019 05:32 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17134.915 July 16, 2019 KB4507466 | Resolved KB4512501 | August 13, 2019 10:00 AM PT |
| Startup to a black screen after installing updates Your device may startup to a black screen during the first logon after installing updates. See details > | OS Build 17134.829 June 11, 2019 KB4503286 | Mitigated | June 14, 2019 04:41 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 17134.523 January 08, 2019 KB4480966 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524149. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4524149 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4520008. Back to top | OS Build 17134.1009 September 23, 2019 KB4522014 | Resolved KB4520008 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4516058, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17134.1006 September 10, 2019 KB4516058 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code After installing KB4512501, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action. Affected platforms:
Workaround: To mitigate the issue, use the following steps:
Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17134.950 August 13, 2019 KB4512501 | Mitigated | Last updated: September 11, 2019 05:32 PM PT Opened: September 11, 2019 05:32 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512501 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 17134.915 July 16, 2019 KB4507466 | Resolved KB4512501 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | October 08, 2019 10:00 AM PT |
| Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data. See details > | OS Build 17763.55 October 09, 2018 KB4464330 | Resolved KB4516077 | September 24, 2019 10:00 AM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | September 19, 2019 04:08 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not respond to \"wake up\" from sleep. See details > | OS Build 17763.678 August 13, 2019 KB4511553 | Mitigated | September 11, 2019 05:32 PM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 17763.652 July 22, 2019 KB4505658 | Resolved KB4511553 | August 13, 2019 10:00 AM PT |
| Startup to a black screen after installing updates Your device may startup to a black screen during the first logon after installing updates. See details > | OS Build 17763.557 June 11, 2019 KB4503327 | Mitigated | June 14, 2019 04:41 PM PT |
| Devices with some Asian language packs installed may receive an error After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F See details > | OS Build 17763.437 April 09, 2019 KB4493509 | Mitigated | May 03, 2019 10:59 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 17763.253 January 08, 2019 KB4480116 | Mitigated | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524148. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4524148 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4519338. Back to top | OS Build 17763.740 September 23, 2019 KB4522015 | Resolved KB4519338 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4512578, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 17763.737 September 10, 2019 KB4512578 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Windows Mixed Reality Portal users may intermittently receive a 15-5 error code After installing KB4511553, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action. Affected platforms:
Workaround: To mitigate the issue, use the following steps:
Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17763.678 August 13, 2019 KB4511553 | Mitigated | Last updated: September 11, 2019 05:32 PM PT Opened: September 11, 2019 05:32 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4511553 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 17763.652 July 22, 2019 KB4505658 | Resolved KB4511553 | Resolved: August 13, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | October 08, 2019 10:00 AM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | September 26, 2019 02:00 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:08 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. See details > | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | September 19, 2019 04:58 PM PT |
| Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters Microsoft and NEC have found incompatibility issues with some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903. See details > | N/A | Mitigated | September 13, 2019 05:25 PM PT |
| Screenshots and Snips have an unnatural orange tint Users have reported an orange tint on Screenshots and Snips with the Lenovo Vantage app installed See details > | OS Build 18362.356 September 10, 2019 KB4516115 | Resolved External | September 11, 2019 08:54 PM PT |
| Windows Desktop Search may not return any results and may have high CPU usage Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage after installing KB4512941. See details > | OS Build 18362.329 August 30, 2019 KB4512941 | Resolved KB4515384 | September 10, 2019 10:00 AM PT |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating. See details > | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | August 30, 2019 10:00 AM PT |
| Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail. See details > | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | August 30, 2019 10:00 AM PT |
| Updates may fail to install and you may receive Error 0x80073701 Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\" See details > | OS Build 18362.145 May 29, 2019 KB4497935 | Investigating | August 16, 2019 04:28 PM PT |
| Intermittent loss of Wi-Fi connectivity Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated External | August 01, 2019 08:44 PM PT |
| Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | August 01, 2019 06:27 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524147. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4524147 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Affected platforms:
Resolution: This issue was resolved in KB4517389. Back to top | OS Build 18362.357 September 23, 2019 KB4522016 | Resolved KB4517389 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Audio in games is quiet or different than expected Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels. Affected platforms:
Resolution: This issue was resolved in KB4517211. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved KB4517211 | Resolved: September 26, 2019 02:00 PM PT Opened: September 13, 2019 05:25 PM PT |
| IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard. Affected platforms:
Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:08 PM PT Opened: September 13, 2019 05:25 PM PT |
| Some users report issues related to the Start menu and Windows Desktop Search Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search. Affected platforms:
Resolution: At this time, Microsoft has not found a Search or Start issue significantly impacting users originating from KB4515384. We will continue monitoring to ensure users have a high-quality experience when interacting with these areas. If you are currently having issues, we recommend you to take a moment to report it in via the Feedback Hub (Windows + F) then try the Windows 10 Troubleshoot settings (found in Settings). If you are having an issue with search, see Fix problems in Windows Search. Back to top | OS Build 18362.356 September 10, 2019 KB4515384 | Resolved | Resolved: September 19, 2019 04:58 PM PT Opened: September 11, 2019 05:18 PM PT |
| Details | Originating update | Status | History |
| Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected. To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903. Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms - Affected platforms:
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903. Back to top | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | Resolved: August 30, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
| Issues updating when certain versions of Intel storage drivers are installed Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903). To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated. Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050. Affected platforms:
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903. Back to top | OS Build 18362.145 May 29, 2019 KB4497935 | Resolved KB4512941 | Resolved: August 30, 2019 10:00 AM PT Opened: July 25, 2019 06:10 PM PT |
| The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open. To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 18362.145 May 29, 2019 KB4497935 | Investigating | Last updated: July 16, 2019 09:04 AM PT Opened: July 12, 2019 04:20 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4524157 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516048 | Resolved KB4519976 | October 08, 2019 10:00 AM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll. See details > | August 13, 2019 KB4512506 | Resolved KB4516048 | September 24, 2019 10:00 AM PT |
| IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start. See details > | August 13, 2019 KB4512506 | Mitigated | August 17, 2019 12:59 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524157. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4524157 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516048 | Resolved KB4519976 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| You may receive an error when opening or using the Toshiba Qosmio AV Center After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll. Affected platforms:
Resolution: This issue was resolved in KB4516048. Back to top | August 13, 2019 KB4512506 | Resolved KB4516048 | Resolved: September 24, 2019 10:00 AM PT Opened: September 10, 2019 09:48 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4524156 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516041 | Resolved KB4520005 | October 08, 2019 10:00 AM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error. See details > | September 10, 2019 KB4516067 | Resolved KB4516041 | September 24, 2019 10:00 AM PT |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option. See details > | April 25, 2019 KB4493443 | Mitigated | May 15, 2019 05:53 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. See details > | January 08, 2019 KB4480963 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524156. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4524156 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516041 | Resolved KB4520005 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Windows RT 8.1 devices may have issues opening Internet Explorer 11 On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\" Affected platforms:
Resolution: This issue was resolved in KB4516041. Back to top | September 10, 2019 KB4516067 | Resolved KB4516041 | Resolved: September 24, 2019 10:00 AM PT Opened: September 13, 2019 05:25 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4524135 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516030 | Resolved KB4520002 | October 08, 2019 10:00 AM PT |
| Issues manually installing updates by double-clicking the .msu file You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error. See details > | September 10, 2019 KB4474419 | Mitigated KB4474419 | September 24, 2019 08:17 AM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Affected platforms:
Resolution: This issue was resolved in KB4524135. Back to top | September 24, 2019 KB4516030 | Resolved KB4524135 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516030 | Resolved KB4520002 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Issues manually installing updates by double-clicking the .msu file After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\" Affected platforms:
Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet Resolution: This issue is resolved in KB4474419 released September 23, 2019. Currently, this version is only available from the Microsoft Update Catalog. To resolve this issue, you will need to manually download the package and use the workaround above to install it. Next steps: We estimate a solution will be available in mid-October on Windows Update and Windows Server Update Services (WSUS). Back to top | September 10, 2019 KB4474419 | Mitigated KB4474419 | Last updated: September 24, 2019 08:17 AM PT Opened: September 20, 2019 04:57 PM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4524154 | October 03, 2019 10:00 AM PT |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. See details > | September 24, 2019 KB4516069 | Resolved KB4520007 | October 08, 2019 10:00 AM PT |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option. See details > | April 25, 2019 KB4493462 | Mitigated | May 15, 2019 05:53 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. See details > | January 08, 2019 KB4480975 | Mitigated | April 25, 2019 02:00 PM PT |
| Details | Originating update | Status | History |
| Intermittent issues when printing The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps. Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4524154. If you are using Security Only updates, see KB4524135 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4524154 | Resolved: October 03, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Intermittent issues when printing Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019. Affected platforms:
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform. Back to top | September 24, 2019 KB4516069 | Resolved KB4520007 | Resolved: October 08, 2019 10:00 AM PT Opened: September 30, 2019 06:26 PM PT |
| Message | Date | ||
| Windows 10, version 1703 has reached end of service Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet. | October 09, 2019 12:00 PM PT | ||
| Take Action: October 2019 security update available for all supported versions of Windows The October 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate. | October 08, 2019 08:00 AM PT | ||
| Take action: Security update available for all supported versions of Windows On October 3, 2019, Microsoft expanded delivery of the out-of-band Internet Explorer scripting engine security vulnerability (CVE-2019-1367) update released on September 23, 2019 to Windows Update and Windows Server Update Services (WSUS). This is now a required security update for all supported versions of Windows as it includes the Internet Explorer scripting engine vulnerability mitigation and corrects a recent printing issue some users have experienced. All customers using Windows Update or WSUS will be offered this update automatically. We recommend that you install this update as soon as a possible, then restart your PC to fully apply the mitigations and help secure your devices. As with all cumulative updates, this update supersedes any preceding update. Note: This update does not replace the standard October 2019 monthly security update release, which is scheduled for October 8, 2019. | October 03, 2019 08:00 AM PT | ||
| September 2019 Windows 10, version 1903 \"D\" optional release is available The September 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release. | September 26, 2019 02:00 PM PT | ||
| Status update: September 2019 Windows \"C\" optional release available The September 2019 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release. | September 24, 2019 08:10 AM PT | ||
| 0x80090036 | -User cancelled an interactive dialog | +User canceled an interactive dialog | User will be asked to try again |
+
+3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.
+ + +#### Configure Windows devices to use PIN reset using Group Policy +You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. + +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. +2. Edit the Group Policy object from step 1. +3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. +4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. + +#### Configure Windows devices to use PIN reset using Microsoft Intune +To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): + +##### Create a PIN Reset Device configuration profile using Microsoft Intune + +1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. +2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer. + ``` + dsregcmd /status | findstr -snip "tenantid" + ``` +3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**. +4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list. +5. In the **Custom OMA-URI Settings** blade, Click **Add**. +6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2. +7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list. +8. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. + +##### Assign the PIN Reset Device configuration profile using Microsoft Intune +1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. +2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration. +3. In the device configuration profile, click **Assignments**. +4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. + +### On-premises Deployments + +**Requirements** +* Active Directory +* On-premises Windows Hello for Business deployment +* Reset from settings - Windows 10, version 1703, Professional +* Reset above Lock - Windows 10, version 1709, Professional + +On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business. + +>[!IMPORTANT] +>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs. + +#### Reset PIN from Settings +1. Sign-in to Windows 10, version 1703 or later using an alternate credential. +2. Open **Settings**, click **Accounts**, click **Sign-in options**. +3. Under **PIN**, click **I forgot my PIN** and follow the instructions. + +#### Reset PIN above the Lock Screen + 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in + 2. Enter your password and press enter. + 3. Follow the instructions provided by the provisioning process + 4. When finished, unlock your desktop using your newly created PIN. + +>[!NOTE] +> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. + +## Dual Enrollment + +**Requirements** +* Hybrid and On-premises Windows Hello for Business deployments +* Enterprise Joined or Hybrid Azure joined devices +* Windows 10, version 1709 + +> [!NOTE] +> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature. + +> [!IMPORTANT] +> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information. + +Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device. + +By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. + +With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads. + +> [!IMPORTANT] +> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. + +### Configure Windows Hello for Business Dual Enroll +In this task you will +- Configure Active Directory to support Domain Administrator enrollment +- Configure Dual Enrollment using Group Policy + +#### Configure Active Directory to support Domain Administrator enrollment +The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. + +Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. + +Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. + +1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object. +```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink``` +where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example: +```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink``` +2. To trigger security descriptor propagation, open **ldp.exe**. +3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**. +4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user. +5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**. +6. Click **Run** to start the task. +7. Close LDP. + +#### Configuring Dual Enrollment using Group Policy +You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object. + +1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. +2. Edit the Group Policy object from step 1. +3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. +4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +5. Restart computers targeted by this Group Policy object. + +The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. + +## Remote Desktop with Biometrics + +> [!Warning] +> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +**Requirements** +- Hybrid and On-premises Windows Hello for Business deployments +- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices +- Certificate trust deployments +- Biometric enrollments +- Windows 10, version 1809 + +Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. + +> [!IMPORTANT] +> The remote desktop with biometrics feature only works with certificate trust deployments. The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Microsoft continues to investigate supporting this feature for key trust deployments. + +### How does it work +It start with creating cryptographic keys. Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider. + +A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key). + +This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). + +Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. + +### Compatibility +Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. + + + +> [!IMPORTANT] +> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. + ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index d1c11a2a8c..060bf7e60a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -44,7 +44,7 @@ If you upgraded your Active Directory schema to the Windows Server 2016 schema a A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. - + ### CRL Distribution Point (CDP) @@ -122,7 +122,7 @@ You need to host your new certificate revocation list of a web server so Azure A 5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.  - In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**. Click **Apply** in the actions pane. + In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane.  7. Close **Internet Information Services (IIS) Manager**. @@ -264,7 +264,7 @@ Steps you will perform include: 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. 3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -4. Click the **Certification Path** tab. In the **Certifcation path** view, select the top most node and click **View Certificate**. +4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**.  5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.  diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 433457239a..cf2079e8e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -205,7 +205,7 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints: `/adfs/services/trust/13/certificatemixed` > [!WARNING] -> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. +> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. > [!NOTE] >If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX). diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 081ef80a5d..73d306bba1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -79,7 +79,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] -> RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this tim +> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. #### Device registration @@ -91,6 +91,9 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa #### Multifactor authentication +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. + The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 281385a751..ef12771132 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -107,22 +107,23 @@ ### [Threat analytics](microsoft-defender-atp/threat-analytics.md) ### [Advanced hunting]() -#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md) -#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md) -#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) +#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md) +#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md) +#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md) #### [Advanced hunting schema reference]() -##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md) -##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md) -##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md) -##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md) -##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md) -##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md) -##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md) -##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md) -##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) -##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) -##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md) -#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) +##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md) +##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md) +##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md) +##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md) +##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md) +##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md) +##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md) +##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md) +##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) +##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) +##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md) +#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) +#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) #### [Custom detections]() diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 080a09e0b5..663976a44a 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -64,7 +64,7 @@ The attack surface reduction set of capabilities provide the first line of defen - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](microsoft-defender-atp/exploit-protection.md) -- [Network protection](microsoft-defender-atp/network-protection.md) +- [Network protection](microsoft-defender-atp/network-protection.md), [Web protection](microsoft-defender-atp/web-protection-overview.md) - [Controlled folder access](microsoft-defender-atp/controlled-folders.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) @@ -83,7 +83,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender **[Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections. - [Alerts](microsoft-defender-atp/alerts-queue.md) - [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline) @@ -91,9 +91,8 @@ Endpoint detection and response capabilities are put in place to detect, investi - [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) - [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md) - [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) -- [Advanced hunting](microsoft-defender-atp/overview-hunting.md) - - [Custom detection](microsoft-defender-atp/overview-custom-detections.md) - - [Realtime and historical hunting](microsoft-defender-atp/advanced-hunting.md) +- [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md) + - [Custom detections](microsoft-defender-atp/overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index e8fd745ba1..84eb799e45 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -1,21 +1,21 @@ --- -title: AlertEvents table in the advanced hunting schema -description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent +title: AlertEvents table in the Advanced hunting schema +description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # AlertEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. +The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -47,8 +47,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Table | string | Table that contains the details of the event | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 75465b34a5..10961a9499 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -1,55 +1,50 @@ --- -title: Advanced hunting best practices in Microsoft Defender ATP -description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data. -keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics +title: Query best practices for Advanced hunting +description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/24/2018 +ms.topic: article +ms.date: 10/08/2019 --- -# Advanced hunting query best practices in Microsoft Defender ATP +# Advanced hunting query best practices **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) -## Performance best practices -The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. -- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set. -- Use time filters first. Ideally, limit your queries to 7 days. +## Optimize query performance +Apply the recommendations to get results faster and avoid timeouts while running complex queries: +- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`. +- Use time filters first. Ideally, limit your queries to seven days. - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. - Use the `has` operator over `contains` when looking for full tokens. -- Use looking in specific column rather than using full text search across all columns. -- When joining between two tables, specify the table with fewer rows first. -- When joining between two tables, project only needed columns from both sides of the join. +- Look in a specific column rather than running full text searches across all columns. +- When joining tables, specify the table with fewer rows first. +- `project` only the necessary columns from tables you've joined. ->[!Tip] +>[!TIP] >For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices). ## Query tips and pitfalls -### Using process IDs -Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process. -To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. +### Queries with process IDs +Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). -So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`) +The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. -The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. - -Example query: ``` NetworkCommunicationEvents | where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4) @@ -59,22 +54,19 @@ NetworkCommunicationEvents The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. -### Using command lines - +### Queries with command lines Command lines can vary. When applicable, filter on file names and do fuzzy matching. -There are numerous ways to construct a command line to accomplish a task. +There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces. -For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more. +To create more durable queries using command lines, apply the following practices: -To create more durable queries using command lines, we recommended the following guidelines: - -- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field. -- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. +- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field. +- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. - Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs` -- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones. +- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones. -The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: +The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: ``` // Non-durable query - do not use @@ -93,4 +85,9 @@ ProcessCreationEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) \ No newline at end of file +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) + +## Related topics +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md index 2b414ee047..957282b72c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md @@ -1,21 +1,21 @@ --- title: FileCreationEvents table in the Advanced hunting schema -description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents +description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # FileCreationEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. +The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -73,8 +73,6 @@ For information on other tables in the Advanced hunting schema, see [the Advanc | IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md index 160e833850..68ceff1055 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md @@ -1,21 +1,21 @@ --- title: ImageLoadEvents table in the Advanced hunting schema -description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents +description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # ImageLoadEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. +The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -59,8 +59,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md index c5279cdd3d..eb6044fda7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md @@ -1,21 +1,21 @@ --- title: LogonEvents table in the Advanced hunting schema -description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents +description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # LogonEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. +The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -67,8 +67,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md index abe7b49af5..a986602549 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md @@ -1,21 +1,21 @@ --- title: MachineInfo table in the Advanced hunting schema -description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo +description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # MachineInfo @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -48,8 +48,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md index 717019c475..a09d2619f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md @@ -1,21 +1,21 @@ --- title: MachineNetworkInfo table in the Advanced hunting schema -description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo +description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # MachineNetworkInfo @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -49,8 +49,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md index deeef6fd8a..2e6c3ad70f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md @@ -1,21 +1,21 @@ --- title: MiscEvents table in the advanced hunting schema -description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents +description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # MiscEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -80,8 +80,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md index 9427ce74c8..5485d2b86e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md @@ -1,21 +1,21 @@ --- title: NetworkCommunicationEvents table in the Advanced hunting schema -description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents +description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # NetworkCommunicationEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. +The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -63,8 +63,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md new file mode 100644 index 0000000000..33df9bb93f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -0,0 +1,73 @@ +--- +title: Overview of Advanced hunting +description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/08/2019 +--- + +# Proactively hunt for threats with Advanced hunting +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. + +You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. + +## Get started with Advanced hunting + +We recommend going through several steps to quickly get up and running with Advanced hunting. + +| Learning goal | Description | Resource | +|--|--|--| +| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) | +| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) | +| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | +| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) | + +## Get help as you write queries +Take advantage of the following functionality to write queries faster: +- **Autosuggest** — as you write queries, Advanced hunting provides suggestions. +- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor. + +## Drilldown from query results +To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center. + +## Tweak your queries from the results +Right-click a value in the result set to quickly enhance your query. You can use the options to: + +- Explicitly look for the selected value (`==`) +- Exclude the selected value from the query (`!=`) +- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` + + + +## Filter the query results +The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances. + +Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude. + + + +Once you apply the filter to modify the query and then run the query, the results are updated accordingly. + +## Related topics +- [Learn the query language](advanced-hunting-query-language.md) +- [Use shared queries](advanced-hunting-shared-queries.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md index 43a0651a0f..43746ac557 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md @@ -1,21 +1,21 @@ --- title: ProcessCreationEvents table in the Advanced hunting schema -description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents +description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # ProcessCreationEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. +The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -71,8 +71,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md new file mode 100644 index 0000000000..89e50cf072 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -0,0 +1,143 @@ +--- +title: Learn the Advanced hunting query language +description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/08/2019 +--- + +# Learn the Advanced hunting query language + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query. + +## Try your first query + +In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example: + +``` +// Finds PowerShell execution events that could involve a download. +ProcessCreationEvents +| where EventTime > ago(7d) +| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") +| where ProcessCommandLine has "Net.WebClient" + or ProcessCommandLine has "DownloadFile" + or ProcessCommandLine has "Invoke-WebRequest" + or ProcessCommandLine has "Invoke-Shellcode" + or ProcessCommandLine contains "http:" +| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by EventTime' +``` + +This is how it will look like in Advanced hunting. + + + +### Describe the query and specify the table to search +The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization. + +``` +// Finds PowerShell execution events that could involve a download. +ProcessCreationEvents +``` + +The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed. + +### Set the time range +The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. + +``` +| where EventTime > ago(7d) +``` +### Search for specific executable files +The time range is immediately followed by a search for files representing the PowerShell application. + +``` +| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") +``` +### Search for specific command lines +Afterwards, the query looks for command lines that are typically used with PowerShell to download files. + +``` +| where ProcessCommandLine has "Net.WebClient" + or ProcessCommandLine has "DownloadFile" + or ProcessCommandLine has "Invoke-WebRequest" + or ProcessCommandLine has "Invoke-Shellcode" + or ProcessCommandLine contains "http:" +``` +### Select result columns and length +Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process. + +``` +| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by EventTime' +``` + +Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. + +## Learn common query operators for Advanced hunting + +Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones. + +| Operator | Description and usage | +|--|--| +| **where** | Filter a table to the subset of rows that satisfy a predicate. | +| **summarize** | Produce a table that aggregates the content of the input table. | +| **join** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. | +| **count** | Return the number of records in the input record set. | +| **top** | Return the first N records sorted by the specified columns. | +| **limit** | Return up to the specified number of rows. | +| **project** | Select the columns to include, rename or drop, and insert new computed columns. | +| **extend** | Create calculated columns and append them to the result set. | +| **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. | +| **find** | Find rows that match a predicate across a set of tables. | + +To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page. + +## Understand data types + +Data in Advanced hunting tables are generally classified into the following data types. + +| Data type | Description and query implications | +|--|--| +| **datetime** | Data and time information typically representing event timestamps | +| **string** | Character string | +| **bool** | True or false | +| **int** | 32-bit numeric value | +| **long** | 64-bit numeric value | + +## Use sample queries + +The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them. + + + +>[!NOTE] +>Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. + +## Access query language documentation + +For more information on Kusto query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/kusto/query/). + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) + +## Related topics +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md index 3099373d13..05c6b7386b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md @@ -1,21 +1,21 @@ --- title: RegistryEvents table in the Advanced hunting schema -description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents +description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: v-maave -author: martyav +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- # RegistryEvents @@ -26,9 +26,9 @@ ms.date: 07/24/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. +The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| @@ -61,8 +61,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - -- [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) -- [Advanced hunting query best practices](advanced-hunting-best-practices.md) -- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md similarity index 74% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 140286d974..8841cd7785 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -1,34 +1,33 @@ --- title: Advanced hunting schema reference -description: Learn about the tables in the advanced hunting schema -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description +description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, data search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 07/24/2019 +ms.date: 10/08/2019 --- -# Advanced hunting reference in Microsoft Defender ATP +# Understand the Advanced hunting schema **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -## Advanced hunting table reference +## Schema tables -The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. +The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table. @@ -48,6 +47,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | ## Related topics - -- [Query data using Advanced hunting](advanced-hunting.md) -- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md new file mode 100644 index 0000000000..d32a485fd7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -0,0 +1,64 @@ +--- +title: Use shared queries in Advanced hunting +description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization. +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/08/2019 +--- + +# Use shared queries in Advanced hunting + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +[Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch. + + + +## Save, modify, and share a query +You can save a new or existing query so that it is only accessible to you or shared with other users in your organization. + +1. Type a new query or load an existing one from under **Shared queries** or **My queries**. + +2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**. + +3. Enter a name for the query. + +  + +4. Select the folder where you'd like to save the query. + - **Shared queries** — shared to all users in the your organization + - **My queries** — accessible only to you + +5. Select **Save**. + +## Delete or rename a query +1. Right-click on a query you want to rename or delete. + +  + +2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query. + +## Access queries in the GitHub repository +Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). + +>[!TIP] +>Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center. + +## Related topics +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md deleted file mode 100644 index 9ce09a700b..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md +++ /dev/null @@ -1,153 +0,0 @@ ---- -title: Query data using Advanced hunting in Microsoft Defender ATP -description: Learn about Advanced hunting in Microsoft Defender ATP and how to query ATP data. -keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 08/15/2018 ---- - -# Query data using Advanced hunting in Microsoft Defender ATP - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) - - -To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax. - - - -## Use advanced hunting to query data - -A typical query starts with a table name followed by a series of operators separated by **|**. - -In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed. - - - -First, we define a time filter to review only records from the previous seven days. - -We then add a filter on the _FileName_ to contain only instances of _powershell.exe_. - -Afterwards, we add a filter on the _ProcessCommandLine_. - -Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. - -You have the option of expanding the screen view so you can focus on your hunting query and related results. - -### Use operators -The query language is very powerful and has a lot of available operators, some of them are - - -- **where** - Filter a table to the subset of rows that satisfy a predicate. -- **summarize** - Produce a table that aggregates the content of the input table. -- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. -- **count** - Return the number of records in the input record set. -- **top** - Return the first N records sorted by the specified columns. -- **limit** - Return up to the specified number of rows. -- **project** - Select the columns to include, rename or drop, and insert new computed columns. -- **extend** - Create calculated columns and append them to the result set. -- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group -- **find** - Find rows that match a predicate across a set of tables. - -To see a live example of these operators, run them as part of the **Get started** section. - -## Access query language documentation - -For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language). - -## Use exposed tables in Advanced hunting - -The following tables are exposed as part of Advanced hunting: - -- **AlertEvents** - Alerts on Microsoft Defender Security Center -- **MachineInfo** - Machine information, including OS information -- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains -- **ProcessCreationEvents** - Process creation and related events -- **NetworkCommunicationEvents** - Network connection and related events -- **FileCreationEvents** - File creation, modification, and other file system events -- **RegistryEvents** - Creation and modification of registry entries -- **LogonEvents** - Login and other authentication events -- **ImageLoadEvents** - DLL loading events -- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts - -These tables include data from the last 30 days. - -## Use shared queries -Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. - - - -You can save, edit, update, or delete queries. - -### Save a query -You can create or modify a query and save it as your own query or share it with users who are in the same tenant. - -1. Create or modify a query. - -2. Click the **Save query** drop-down button and select **Save as**. - -3. Enter a name for the query. - -  - -4. Select the folder where you'd like to save the query. - - Shared queries - Allows other users in the tenant to access the query - - My query - Accessible only to the user who saved the query - -5. Click **Save**. - -### Update a query -These steps guide you on modifying and overwriting an existing query. - -1. Edit an existing query. - -2. Click the **Save**. - -### Delete a query -1. Right-click on a query you want to delete. - -  - -2. Select **Delete** and confirm that you want to delete the query. - -## Result set capabilities in Advanced hunting - -The result set has several capabilities to provide you with effective investigation, including: - -- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center. -- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. - - - -## Filter results in Advanced hunting -In Advanced hunting, you can use the advanced filter on the output result set of the query. -The filters provide an overview of the result set where -each column has it's own section and shows the distinct values that appear in the column and their prevalence. - -You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**. - - - -The filter selections will resolve as an additional query term and the results will be updated accordingly. - - - -## Public Advanced hunting query GitHub repository -Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) - -## Related topic -- [Advanced hunting reference](advanced-hunting-reference.md) -- [Advanced hunting query language best practices](advanced-hunting-best-practices.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index bd14cbf032..2c44e8cfe9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -39,7 +39,7 @@ Method|Return Type |Description Property | Type | Description :---|:---|:--- id | String | Alert ID. -incidentId | String | The [Incident](view-incidents-queue.md) ID of the Alert. +incidentId | String | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. assignedTo | String | Owner of the alert. severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 311f6803b0..b5bd5c3d18 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -12,7 +12,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/07/2019 ms.reviewer: manager: dansimp --- @@ -28,7 +27,7 @@ manager: dansimp Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -36,17 +35,17 @@ Attack surface reduction rules target behaviors that malware and malicious apps * Obfuscated or otherwise suspicious scripts * Behaviors that apps don't usually initiate during normal day-to-day work -You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Microsoft Security Center +## Review attack surface reduction events in the Microsoft Defender Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: @@ -208,7 +207,7 @@ This rule blocks the following file types from launching unless they either meet * Executable files (such as .exe, .dll, or .scr) > [!NOTE] -> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. > [!IMPORTANT] > The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. @@ -228,7 +227,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. > [!NOTE] -> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -329,4 +328,4 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index fac075a33c..4eafbbefa8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -53,7 +53,7 @@ The goal is to remediate the issues in the security recommendations list to impr See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) @@ -62,8 +62,6 @@ See how you can [improve your security configuration](https://docs.microsoft.com >To download the security updates: >1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). >2. Key-in the security update KB number that you need to download, then click **Search**. -> ->Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019. ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 3974d3dc84..484a763167 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -57,7 +57,7 @@ From the device compliance page, create a configuration profile specifically for - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. - Create the device configuration profile from scratch. -For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). +For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 2e925f762d..e8692e242a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. +Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. > [!NOTE] > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. @@ -33,8 +33,10 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. -> [!NOTE] -> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. +#### Required columns in the query results +To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. + +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. @@ -112,3 +114,5 @@ You can also take the following actions on the rule from this page: ## Related topic - [Custom detections overview](overview-custom-detections.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the Advanced hunting query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 6bd71a712b..728379548b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -113,7 +113,7 @@ Use the test machines to run attack simulations by connecting to them. If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience. -You can also use [Advanced hunting](advanced-hunting.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. +You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. >[!NOTE] >The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png new file mode 100644 index 0000000000..c245c9e9fb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png index c8c053fd44..495ac3cb26 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png new file mode 100644 index 0000000000..93931e9013 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index b78325e026..379a0c8d3e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -78,7 +78,6 @@ You can click the circles on the incident graph to view the details of the malic  ## Related topics -- [View and organize the Incidents queue](view-incidents-queue.md) -- [Manage incidents](manage-incidents.md) - - +- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) +- [Investigate incidents in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents) +- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 2e124ba8aa..0d82ce51ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -29,4 +29,4 @@ Topic | Description [Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center. [Machines list](machines-view-overview.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. [Take response actions](response-actions.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. -[Query data using advanced hunting](advanced-hunting.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. +[Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 6f2cd9df63..56e0d4eeb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -60,6 +60,6 @@ Added comments instantly appear on the pane. ## Related topics -- [Incidents queue](incidents-queue.md) +- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) - [View and organize the Incidents queue](view-incidents-queue.md) - [Investigate incidents](investigate-incidents.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 33bd480db3..de8a73f329 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Advanced Threat Protection description: Microsoft Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection +keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -78,7 +78,7 @@ This built-in capability uses a game-changing risk-based approach to the discove **[Attack surface reduction](overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. +The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs. @@ -88,8 +88,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender **[Endpoint detection and response](overview-endpoint-detection-response.md)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. -You can also do advanced hunting to create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. [Advanced hunting](advanced-hunting-overview.md) provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections. diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index e4f3194e93..57782a8e2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -37,6 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 +- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index 9dd1998f62..ffdde6dfa0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -105,11 +105,11 @@ ### [Advanced hunting]() -#### [Advanced hunting overview](overview-hunting.md) +#### [Advanced hunting overview](advanced-hunting-overview.md) #### [Query data using Advanced hunting]() -##### [Data querying basics](advanced-hunting.md) -##### [Advanced hunting reference](advanced-hunting-reference.md) +##### [Data querying basics](advanced-hunting-query-language.md) +##### [Advanced hunting reference](advanced-hunting-schema-reference.md) ##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md) #### [Custom detections]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 8398ee9986..13b9cef73c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -25,14 +25,15 @@ ms.topic: conceptual With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. -Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. +Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. Custom detections provide: -- Alerts from rule-based detections built from Advanced hunting queries +- Alerts for rule-based detections built from Advanced hunting queries - Automatic response actions that apply to files and machines >[!NOTE] >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Related topic -- [Create and manage custom detection rules](custom-detection-rules.md) \ No newline at end of file +- [Create and manage custom detection rules](custom-detection-rules.md) +- [Advanced hunting overview](advanced-hunting-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 8343dc2003..4c4cf5edcf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -37,7 +37,7 @@ The response capabilities give you the power to promptly remediate threats by ac Topic | Description :---|:--- [Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed. -[Incidents queue](incidents-queue.md) | View and organize the incidents queue, and manage and investigate alerts. +[Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) | View and organize the incidents queue, and manage and investigate alerts. [Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts. [Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time. [Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md deleted file mode 100644 index 3d1b55266e..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Overview of advanced hunting capabilities -description: Hunt for possible threats across your organization using a powerful search and query tool -keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Overview of advanced hunting -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center. - -With advanced hunting, you can take advantage of the following capabilities: - -- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level. -- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types. -- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience. -- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language. - -## In this section -Topic | Description -:---|:--- -[Query data using Advanced hunting](advanced-hunting.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. -[Custom detections](overview-custom-detections.md)| With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. - - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index e649152e6b..7d78d67bc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -2,7 +2,7 @@ title: Overview of Microsoft Defender ATP ms.reviewer: description: Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform -keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air +keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air, cyber threat hunting, advanced hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -34,13 +34,13 @@ Understand the concepts behind the capabilities in Microsoft Defender ATP so you Topic | Description :---|:--- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats. -[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. +[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage exploit protection, attack surface reduction rules, and other capabilities to protect the perimeter of your organization. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs. [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. [Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. [Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. [Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand. -[Advanced hunting](overview-hunting.md) | Use a powerful search and query language to create custom queries and detection rules. +[Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules. [Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. [Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. [Portal overview](portal-overview.md) |Learn to navigate your way around Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index 7a1c0650f9..9a9fa6e53c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -141,7 +141,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t  -4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder. +4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`. 5. Copy WDATPDataConnector.mez from the zip to the directory you just created. @@ -150,6 +150,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t 7. Click **File** > **Options and settings** > **Custom data connectors**. 8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**. + + > [!NOTE] + > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**". >[!NOTE] >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index f689022abe..7f28e73b98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -62,7 +62,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each event hub message in Azure Event Hubs contains list of records. - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". -- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md). +- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). ## Data types mapping: @@ -83,7 +83,7 @@ To get the data types for event properties do the following:  ## Related topics -- [Overview of Advanced Hunting](overview-hunting.md) +- [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Microsoft Defender ATP streaming API](raw-data-export.md) - [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index a30dc4ead2..3d9ca8313a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -62,7 +62,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each blob contains multiple rows. - Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". -- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md). +- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). ## Data types mapping: @@ -83,7 +83,7 @@ In order to get the data types for our events properties do the following:  ## Related topics -- [Overview of Advanced Hunting](overview-hunting.md) +- [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md) - [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md) - [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index 75e88ccf52..7155ac0422 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -27,17 +27,17 @@ ms.topic: article ## Stream Advanced Hunting events to Event Hubs and/or Azure storage account. -Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/). +Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/). ## In this section Topic | Description :---|:--- -[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs. -[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account. +[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs. +[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account. ## Related topics -- [Overview of Advanced Hunting](overview-hunting.md) +- [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) - [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 457a33f85a..079a79034a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -145,5 +145,5 @@ If the 'roles' section in the token does not include the necessary permission: ## Related topic - [Microsoft Defender ATP APIs](apis-intro.md) -- [Advanced Hunting from Portal](advanced-hunting.md) +- [Advanced Hunting from Portal](advanced-hunting-query-language.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index d63d1f4ea5..f7512247e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -29,21 +29,19 @@ Ensure that your machines: >[!NOTE] >Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. -- Have the following mandatory updates installed: -- (1) RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) -- (2) RS4 customers | [KB4493464](https://support.microsoft.com/help/4493464) +- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: + +> Release | Security update KB number and link +> :---|:--- +> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) +> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) +> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) + - Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905 - Have at least one security recommendation that can be viewed in the machine page - Are tagged or marked as co-managed ->[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network: ->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) ->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) ->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) ->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) ->
Downloading and deploying the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019. - ## Reduce your threat and vulnerability exposure Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index bb9f499cd3..e2615c2319 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -26,12 +26,11 @@ Threat & Vulnerability Management leverages the same signals in Microsoft Defend The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) ->
Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
## Navigate through your organization's weaknesses page
You can see the list of vulnerabilities in four ways:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index c3753c466c..4bda743be9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -64,7 +64,7 @@ You can choose to limit the list of incidents shown based on their status to see
Use this filter to show incidents that contain sensitivity labels.
## Related topics
-- [Incidents queue](incidents-queue.md)
+- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)
- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 8ce51363fd..f9421d02f6 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -31,9 +31,7 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
- - Windows 10 Version 1703 (Creators Update)
- Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1511 (November Update)
- Windows 10 Version 1507
- Windows Server security baselines
@@ -42,7 +40,7 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
+ - Office365 ProPlus (Sept 2019)
- Tools
- Policy Analyzer tool
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index 3c9a703853..f740ced849 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -25,7 +25,8 @@ ms.date: 04/19/2017
An overview of account policies in Windows and provides links to policy descriptions.
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
-> **Note:** Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
+> [!NOTE]
+> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 090bb9f3bf..82dc9c1898 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -84,6 +84,9 @@ Settings are applied in the following order through a Group Policy Object (GPO),
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+> [!NOTE]
+> More information about configuring the policy can be found [here](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index ba47760e7f..5760e380c9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---
@@ -36,12 +35,16 @@ The utility has the following commands:
```DOS
MpCmdRun.exe [command] [-options]
```
+For example,
+```
+MpCmdRun.exe -scan -2
+```
| Command | Description |
|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
| \-? **or** -h | Displays all available options for this tool |
-| \-Scan [-ScanType #] [-File \
->[!Note]
->This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+> [!Note]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow additional code to run by design.
These types of applications should be blocked by your Windows Defender Application Control policy.
@@ -88,7 +89,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
- msxml6.dll
- jscript9.dll
-Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
```xml
@@ -888,9 +889,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+> [!Note]
+> To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
+
+## More information
+
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index cde7dc4fc5..15c54f8ada 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -34,7 +34,7 @@ Select Windows Defender Firewall.
## Firewall rule components
-The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp).
+The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index a4d7f249b4..57292a294e 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -89,6 +89,9 @@ First, create the WMI filter and configure it to look for a specified version (o
10. Click **Save** to save your completed filter.
+> [!NOTE]
+> If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied.
+
## To link a WMI filter to a GPO
After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index e59d8d582b..30b70df2a4 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -20,8 +20,8 @@ ms.reviewer:
**Applies to**
- Windows 10
-- Windows Server 2016
-- Office 2016
+- Windows Server
+- Office 365 ProPlus
## Using security baselines in your organization