deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into sfb-11538469

Browse Source
This commit is contained in:
Trudy Hakala 2017-04-28 10:44:05 -07:00
commit aa8e17574d
24 changed files with 506 additions and 459 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

390
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

3
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -50,7 +50,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.
If you prefer to use a graphical user interface (UI), some steps can be done using UI instead of PowerShell.
For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).

2
devices/surface-hub/use-room-control-system-with-surface-hub.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
author: jdeckerms
localizationpriority: medium
---

6
education/breadcrumb/toc.yml
View File

@ -2,6 +2,6 @@
tocHref: /
topicHref: /
items:
- name: Education
tocHref: /education
topicHref: /education/index
- name: Windows
tocHref: /education/windows
topicHref: /education/windows/index

6
store-for-business/breadcrumb/toc.yml
View File

@ -2,6 +2,6 @@
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows
topicHref: /windows/windows-10
- name: Windows Store for Business
tocHref: /microsoft-store
topicHref: /microsoft-store/index

2
windows/access-protection/TOC.md
View File

@ -24,7 +24,7 @@
### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)

70
windows/access-protection/credential-guard/credential-guard-known-issues.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Credential Guard Known issues (Windows 10)
description: Credential Guard - Known issues in Windows 10 Enterprise
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Credential Guard: Known issues
**Applies to**
- Windows 10
- Windows Server 2016
Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
This issue can potentially lead to unexpected account lockouts.
See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and
[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
- [Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
*Registration required to access this article.
- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
**Registration required to access this article.
Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
- KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
Microsoft is currently working with Citrix to investigate this issue.
## Vendor support
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
- For Credential Guard on Windows 10 with McAfee Encryption products, see:
[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Credential Guard on Windows 10 with VMWare Workstation
[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Credential Guard on Windows 10 with Symantec Endpoint Protection
[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.

3
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -15,8 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
in the Deep Dive into Credential Guard video series.
Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
## Enable Credential Guard
Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.

20
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -86,21 +86,27 @@ Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow
### Disable Windows Firewall
Disabling Windows Firewall with Advanced Security can cause the following problems:
Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
Disabling Windows Firewall with Advanced Security can also cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Firewall
Do not disable Windows Firewall with Advanced Security service by stopping the service.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
If you turn off the Windows Firewall with Advanced Security service, you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
Stopping the Windows Firewall service is not supported by Microsoft.
Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility.
You should not disable the firewall yourself for this purpose.
Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
The following example disables Windows Firewall with Advanced Security for all profiles.

1
windows/client-management/TOC.md
View File

@ -1,4 +1,5 @@
# [Manage clients in Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Create mandatory user profiles](mandatory-user-profile.md)
## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)

2
windows/client-management/index.md
View File

@ -17,7 +17,7 @@ Learn about the administrative tools, tasks and best practices for managing Wind
| Topic | Description |
|---|---|
|[Administrative tools in Windows 10](administrative-tools-in-windows-10.md)| Listing of administrative tools useful for ITPros and advanced users in managing Windows client.|
|[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|

2
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1288,7 +1288,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero).
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0 (zero).
-or-

2
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -69,7 +69,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) |
| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetPowerPolicies | When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |

1
windows/deployment/TOC.md
View File

@ -46,7 +46,6 @@
### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
#### [Upgrade Readiness release notes](upgrade/upgrade-readiness-release-notes.md)
#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)

2
windows/deployment/change-history-for-deploy-windows-10.md
View File

@ -21,7 +21,7 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index.md).
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
## March 2017

2
windows/deployment/mbr-to-gpt.md
View File

@ -36,6 +36,8 @@ Offline conversion of system disks with earlier versions of Windows installed, s
>[!IMPORTANT]
>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. <BR>Make sure that your device supports UEFI before attempting to convert the disk.
<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
## Syntax
<table style="font-family:consolas;font-size:12px" >

12
windows/deployment/update/waas-quick-start.md
View File

@ -22,19 +22,19 @@ Windows as a service is a new concept, introduced with the release of Windows 10
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically dont run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure.
- **Servicing channels** allow organizations to choose when to deploy new features. The Semi-Annual Channel receives feature updates twice per year. The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment.
Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced.
Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
@ -44,9 +44,9 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.

6
windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
View File

@ -29,15 +29,15 @@ The Upgrade Readiness workflow steps you through the discovery and rationalizati
**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
[Upgrade Readiness architecture](upgrade-readiness-architecture.md)<BR>
[Upgrade Readiness requirements](upgrade-readiness-requirements.md)<BR>
[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)<BR>
[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)<BR>
[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)<BR>
[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)<BR>
[Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md)<BR>

6
windows/deployment/upgrade/upgrade-readiness-architecture.md
View File

@ -19,12 +19,12 @@ After you enable Windows telemetry on user computers and install the compatibili
For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)<BR>
[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)<BR>
[Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)<BR>
[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)<BR>
[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)<BR>
##**Related topics**
[Upgrade Readiness requirements](upgrade-readiness-requirements.md)<BR>
[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)<BR>
[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)<BR>
[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)<BR>

403
windows/deployment/upgrade/upgrade-readiness-deployment-script.md
View File

@ -68,227 +68,196 @@ To run the Upgrade Readiness deployment script:
5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
The deployment script displays the following exit codes to let ddfyou know if it was successful, or if an error was encountered.
<div style='font-size:8.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa" width=5>Exit code</TD>
<TD BGCOLOR="#a0e4fa">Meaning
<TD BGCOLOR="#a0e4fa">Suggested fix
<TR><TD>0</TD>
<TD>Success
<TD>N/A
<TR><TD>1</TD>
<TD>Unexpected error occurred while executing the script.
<TD> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
<TR><TD>2</TD>
<TD>Error when logging to console. $logMode = 0.<BR>(console only)
<TD>Try changing the $logMode value to **1** and try again.<BR>$logMode value 1 logs to both console and file.
<TR><TD>3</TD>
<TD>Error when logging to console and file. $logMode = 1.
<TD>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
<TR><TD>4</TD>
<TD>Error when logging to file. $logMode = 2.
<TD>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
<TR><TD>5</TD>
<TD>Error when logging to console and file. $logMode = unknown.
<TD>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
<TR><TD>6</TD>
<TD>The commercialID parameter is set to unknown. <BR>Modify the runConfig.bat file to set the CommercialID value.
<TD>The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
<BR>See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
<TR><TD>8</TD>
<TD>Failure to create registry key path: <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div>
<TD>The Commercial Id property is set at the following registry key path: <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div>
<BR>Verify that the context under which the script in running has access to the registry key.
<TR><TD>9</TD>
<TD>The script failed to write Commercial Id to registry.
<BR>Error creating or updating registry key: **CommercialId** at <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div>
<TD>Verify that the context under which the script in running has access to the registry key.
<TR><TD>10</TD>
<TD>Error when writing **CommercialDataOptIn** to the registry at <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div>
<TD>Verify that the deployment script is running in a context that has access to the registry key.
<TR><TD>11</TD>
<TD>Function **SetupCommercialId** failed with an unexpected exception.
<TD>The **SetupCommercialId** function updates the Commercial Id at the registry key path: <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div> <BR>Verify that the configuration script has access to this location.
<TR><TD>12</TD>
<TD>Cant connect to Microsoft - Vortex. Check your network/proxy settings.
<TD>**Http Get** on the end points did not return a success exit code.<BR>
<div font-size='7pt;'>
<table border='1' cellspacing='0' cellpadding='0'>
<tr>
<td BGCOLOR="#a0e4fa" width=5>Exit code and meaning</td>
<td BGCOLOR="#a0e4fa">Suggested fix</td>
</tr>
<tr><td>0 - Success</td>
<td>N/A</td>
</tr>
<tr>
<td>1 - Unexpected error occurred while executiEng the script.</td>
<td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
</tr>
<tr>
<td>2 - Error when logging to console. $logMode = 0.<BR>(console only)</td>
<td>Try changing the $logMode value to **1** and try again.<BR>$logMode value 1 logs to both console and file.</td>
</tr>
<tr>
<td>3 - Error when logging to console and file. $logMode = 1.</td>
<td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
</tr>
<tr>
<td>4 - Error when logging to file. $logMode = 2.</td>
<td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
</tr>
<tr>
<td>5 - Error when logging to console and file. $logMode = unknown.</td>
<td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
</tr>
<tr>
<td>6 - The commercialID parameter is set to unknown. <BR>Modify the runConfig.bat file to set the CommercialID value.</td>
<td>The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
<BR>See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.</td>
</tr>
<tr>
<td>8 - Failure to create registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font></td>
<td>The Commercial Id property is set at the following registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font>
<BR>Verify that the context under which the script in running has access to the registry key.</td>
</tr>
<tr>
<td>9 - The script failed to write Commercial Id to registry.
<BR>Error creating or updating registry key: **CommercialId** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font>
</td>
<td>Verify that the context under which the script in running has access to the registry key.</td>
</tr>
<tr>
<td>10 - Error when writing **CommercialDataOptIn** to the registry at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font></td>
<td>Verify that the deployment script is running in a context that has access to the registry key.</td>
</tr>
<tr>
<td>11 - Function **SetupCommercialId** failed with an unexpected exception.</td>
<td>The **SetupCommercialId** function updates the Commercial Id at the registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font> <BR>Verify that the configuration script has access to this location.</td>
</tr>
<tr>
<td>12 - Cant connect to Microsoft - Vortex. Check your network/proxy settings.</td>
<td>**Http Get** on the end points did not return a success exit code.<BR>
For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.<BR>
For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.
<BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
<TR><TD>13</TD>
<TD>Cant connect to Microsoft - setting.
<TD>An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
<TR><TD>14</TD>
<TD>Cant connect to Microsoft - compatexchange.
<TD>An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
<TR><TD>15</TD>
<TD>Function CheckVortexConnectivity failed with an unexpected exception.
<TD>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
<TR><TD>16</TD>
<TD>The computer requires a reboot before running the script.
<TD>A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
<TR><TD>17</TD>
<TD>Function **CheckRebootRequired** failed with an unexpected exception.
<TD>A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
<TR><TD>18</TD>
<TD>Appraiser KBs not installed or **appraiser.dll** not found.
<TD>Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
<TR><TD>19</TD>
<TD>Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.
<TD>Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
<TR><TD>20</TD>
<TD>An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser**</div>
<TD>The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
<TR><TD>21</TD>
<TD>Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>22</TD>
<TD>**RunAppraiser** failed with unexpected exception.
<TD>Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
<TR><TD>23</TD>
<TD>Error finding system variable **%WINDIR%**.
<TD>Verify that this environment variable is configured on the computer.
<TR><TD>24</TD>
<TD>The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div>
<TD>This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
<TR><TD>25</TD>
<TD>The function **SetIEDataOptIn** failed with unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>26</TD>
<TD>The operating system is Server or LTSB SKU.
<TD> The script does not support Server or LTSB SKUs.
<TR><TD>27</TD>
<TD>The script is not running under **System** account.
<TD>The Upgrade Readiness configuration script must be run as **System**.
<TR><TD>28</TD>
<TD>Could not create log file at the specified **logPath**.
<TD> Make sure the deployment script has access to the location specified in the **logPath** parameter.
<TR><TD>29</TD>
<TD>Connectivity check failed for proxy authentication.
<TD>Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
<BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
</tr>
<tr>
<td>13 - Cant connect to Microsoft - setting. </td>
<td>An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
</tr>
<tr>
<td>14 - Cant connect to Microsoft - compatexchange.</td>
<td>An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
</tr>
<tr>
<td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
<td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.</td>
</tr>
<tr>
<td>16 - The computer requires a reboot before running the script.</td>
<td>A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.</td>
</tr>
<tr>
<td>17 - Function **CheckRebootRequired** failed with an unexpected exception.</td>
<td>A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.</td>
</tr>
<tr>
<td>18 - Appraiser KBs not installed or **appraiser.dll** not found.</td>
<td>Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.</td>
</tr>
<tr>
<td>19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.</td>
<td>Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.</td>
</tr>
<tr>
<td>20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser**</font> </td>
<td>The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. </td>
</tr>
<tr>
<td>21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>22 - **RunAppraiser** failed with unexpected exception.</td>
<td>Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.</td>
</tr>
<tr>
<td>23 - Error finding system variable **%WINDIR%**.</td>
<td>Verify that this environment variable is configured on the computer.</td>
</tr>
<tr>
<td>24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font></td>
<td>This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>25 - The function **SetIEDataOptIn** failed with unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>26 - The operating system is Server or LTSB SKU.</td>
<td> The script does not support Server or LTSB SKUs.</td>
</tr>
<tr>
<td>27 - The script is not running under **System** account.</td>
<td>The Upgrade Readiness configuration script must be run as **System**. </td>
</tr>
<tr>
<td>28 - Could not create log file at the specified **logPath**.</td>
<td> Make sure the deployment script has access to the location specified in the **logPath** parameter.</td>
</tr>
<tr>
<td>29 - Connectivity check failed for proxy authentication. </td>
<td>Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
<BR>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
<BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
<BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
<TR><TD>30</TD>
<TD>Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.
<TD>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
<BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).</td>
</tr>
<tr>
<td>30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.</td>
<td>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
<BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
<BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
<TR><TD>31</TD>
<TD>There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer.
<TD>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
<TR><TD>32</TD>
<TD>Appraiser version on the machine is outdated.
<TD>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.
<TR><TD>33</TD>
<TD>**CompatTelRunner.exe** exited with an exit code
<TD>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.
<TR><TD>34</TD>
<TD>Function **CheckProxySettings** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>35</TD>
<TD>Function **CheckAuthProxy** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>36</TD>
<TD>Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>37</TD>
<TD>**Diagnose_internal.cmd** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>38</TD>
<TD>Function **Get-SqmID** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>39</TD>
<TD>For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**</div>
or <div style='font-size:7.0pt'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</div>
<TD>For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
<TR><TD>40</TD>
<TD>Function **CheckTelemetryOptIn** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>41</TD>
<TD>The script failed to impersonate the currently logged on user.
<TD>The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
<TR><TD>42</TD>
<TD>Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>43</TD>
<TD>Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.
<TD>Check the logs for the exception message and HResult.
<TR><TD>44</TD>
<TD>Function **Diagtrack.dll** version is old and so Auth Proxy will not work.
<TD>Update the computer using Windows Update or WSUS.
<TR><TD>45</TD>
<TD>**Diagtrack.dll** not found.
<TD>Update the computer using Windows Update or WSUS.
<TR><TD>46</TD>
<TD>**DisableEnterpriseAuthProxy** property should be set to 1 for ClientProxy=Telemetry to work.
<TD>The ClientProxy=Telemetry scenario requires the **DisableEnterpriseAuthProxy** registry key to be set to 1 at registry path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
<TR><TD>47</TD>
<TD>**TelemetryProxyServer** property is not present in the Windows registry at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
<TD>ClientProxy selected is Telemetry. The **TelemetryProxyServer** key is not present at Windows registry path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
<TR><TD>48</TD>
<TD>The **CommercialID** referenced in RunConfig.bat must be a GUID.
<TD>The **CommercialID** that is entered in RunConfig.bat must be a GUID. Copy the commercial ID from your workspace. To find the commercialID on the OMS portal, view Upgrade Readiness > Settings. You will find the commercial ID on the settings page.
</TABLE>
</div>
<BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).</td>
</tr>
<tr>
<td>31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. </td>
<td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
</tr>
<tr>
<td>32 - Appraiser version on the machine is outdated. </td>
<td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.</td>
</tr>
<tr>
<td>33 - **CompatTelRunner.exe** exited with an exit code </td>
<td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.</td>
</tr>
<tr>
<td>34 - Function **CheckProxySettings** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.></td>
</tr>
<tr>
<td>35 - Function **CheckAuthProxy** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>37 - **Diagnose_internal.cmd** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>38 - Function **Get-SqmID** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path <font size='1'>**HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**</font>
or <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**</font></td>
<td>For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).</td>
</tr>
<tr>
<td>40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>41 - The script failed to impersonate the currently logged on user. </td>
<td>The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.</td>
</tr>
<tr>
<td>42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. </td>
<td>Check the logs for the exception message and HResult.</td>
</tr>
<tr>
<td>43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.</td>
<td>Check the logs for the exception message and HResult.</td>
</table>

6
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -32,8 +32,8 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
## Add Upgrade Readiness to Operations Management Suite
@ -113,7 +113,7 @@ If you are planning to enable IE Site Discovery, you will need to install a few
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
| [Review site discovery](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-additional-insights#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
| [Review site discovery](upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
### Deploy the Upgrade Readiness deployment script

4
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -30,7 +30,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#long-term-servicing-branch) to understand more about LTSB.
Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-branch) to understand more about LTSB.
## Operations Management Suite
@ -50,7 +50,7 @@ Upgrade Readiness can be integrated with your installation of Configuration Mana
After youve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, youll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, youll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.

2
windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -56,7 +56,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| **Windows Defender SmartScreen**<br> helps prevent<br>malicious applications<br>from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Credential Guard**<br> helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
| **Enterprise certificate pinning**<br> helps prevent <br>man-in-the-middle attacks<br>that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf. <br><br>**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
| **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](/windows/access-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies. |
| **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
| **Windows Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.<br><br>**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts**<br> helps prevent fonts<br>from being used in<br>elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections**<br> help prevent malware<br>from using memory manipulation<br>techniques such as buffer<br>overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:<br>A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.<br><br>**More information**: [Table 2](#table-2), later in this topic |

2
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -75,7 +75,7 @@ Cortana is Microsofts personal digital assistant, who helps busy people get t
Using Azure AD also means that you can remove an employees profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview.md)
For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview)
## Deployment