Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into errorcodes

windows/client-management/TOC.md

@@ -12,16 +12,18 @@
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
-### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
-### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
-### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
-### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
-### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md)
+#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
+#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
+#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
 ### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
 #### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
 #### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
 #### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
 #### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
+### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md)
+#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
+#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)

windows/client-management/troubleshoot-networking.md

@@ -0,0 +1,20 @@
+---
+title: Advanced troubleshooting for Windows networking issues
+description: Learn how to troubleshoot networking issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 
+---
+
+# Advanced troubleshooting for Windows networking issues
+
+In these topics, you will learn how to troubleshoot common problems related to Windows networking.
+
+- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md)
+- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md)
+- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md)

windows/client-management/troubleshoot-tcpip-connectivity.md

@@ -36,17 +36,17 @@ If the initial TCP handshake is failing because of packet drops then you would s
     
 Source side connecting on port 445:
 
-![](images/tcp-ts-6.png)
+![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
 
 Destination side: applying the same filter, you do not see any packets.
 
-![](images/tcp-ts-7.png)
+![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
 
 For the rest of the data, TCP will retransmit the packets 5 times.
 
 **Source 192.168.1.62 side trace:**
 
-![](images/tcp-ts-8.png)
+![Screenshot showing packet side trace](images/tcp-ts-8.png)
 
 **Destination 192.168.1.2 side trace:**
      
@@ -71,15 +71,15 @@ In the below screenshots, you see that the packets seen on the source and the de
     
 **Source Side**
 
-![](images/tcp-ts-9.png)
+![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
 
 **On the destination-side trace** 
 
-![](images/tcp-ts-10.png)
+![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
 
 You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.  
 
-![](images/tcp-ts-11.png)
+![Screenshot of packet flag](images/tcp-ts-11.png)
 
 The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. 
  
@@ -102,8 +102,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
  
 You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
 
-![](images/tcp-ts-12.png)
+![Screenshot of Event Properties](images/tcp-ts-12.png)
 
 Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
 
-![](images/tcp-ts-13.png)
+![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)

windows/client-management/troubleshoot-tcpip-port-exhaust.md

@@ -54,21 +54,21 @@ Specifically, about outbound connections as incoming connections will not requir
  
 Since outbound connections start to fail, you will see a lot of the below behaviors:
  
-- Unable to login to the machine with domain credentials, however login with local account works. Domain login will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain login might still work.
+- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
 
-    ![](images/tcp-ts-14.png)
+    ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
 
 - Group Policy update failures:
 
-    ![](images/tcp-ts-15.png)
+    ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
 
 - File shares are inaccessible:
 
-    ![](images/tcp-ts-16.png)
+    ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
 
 - RDP from the affected server fails:
 
-    ![](images/tcp-ts-17.png)
+    ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
 
 - Any other application running on the machine will start to give out errors
 
@@ -82,15 +82,15 @@ If you suspect that the machine is in a state of port exhaustion:
 
     a.	**Event ID 4227**
 
-    ![](images/tcp-ts-18.png)
+    ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
 
     b.	**Event ID 4231**
 
-    ![](images/tcp-ts-19.png)
+    ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
 
 3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
 
-    ![](images/tcp-ts-20.png)
+    ![Screenshot of netstate command output](images/tcp-ts-20.png)
 
 After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
  
@@ -132,7 +132,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
 1.	Add a column called “handles” under details/processes.
 2.	Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
 
-    ![](images/tcp-ts-21.png)
+    ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
 
 3.	If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
  
@@ -153,7 +153,7 @@ Steps to use Process explorer:
     
     File   \Device\AFD
 
-    ![](images/tcp-ts-22.png)
+    ![Screenshot of Process Explorer](images/tcp-ts-22.png)
 
 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
  

windows/client-management/troubleshoot-tcpip-rpc-errors.md

@@ -158,15 +158,15 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
 
 - Look for the “EPM” Protocol Under the “Protocol” column.
 
-- Now check if you are getting a response from the server or not, if you get a response note the Dynamic Port number that you have been allocated to use.
+- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
 
-    ![](images/tcp-ts-23.png)
+    ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
 
 - Check if we are connecting successfully to this Dynamic port successfully.
 
 - The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip> 
 
-    ![](images/tcp-ts-24.png)
+    ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
 
 This should help you verify the connectivity and isolate if any network issues are seen.
 
@@ -175,13 +175,13 @@ This should help you verify the connectivity and isolate if any network issues a
 
 The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
  
-![](images/tcp-ts-25.png)
+![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
  
 The port cannot be reachable due to one of the following reasons:
 
 - The dynamic port range is blocked on the firewall in the environment. 
 - A middle device is dropping the packets. 
-- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc)
+- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc).
 
 
 

windows/client-management/troubleshoot-windows-startup.md

@@ -0,0 +1,19 @@
+---
+title: Advanced troubleshooting for Windows start-up issues
+description: Learn how to troubleshoot Windows start-up issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 
+---
+
+# Advanced troubleshooting for Windows start-up issues
+
+In these topics, you will learn how to troubleshoot common problems related to Windows start-up.
+
+- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md)
+- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)

windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md

@@ -73,7 +73,7 @@ The response will include an access token and expiry information.
 ```json
 {
   "token_type": "Bearer",
-  "expires_in": "3599"
+  "expires_in": "3599",
   "ext_expires_in": "0",
   "expires_on": "1488720683",
   "not_before": "1488720683",

windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md

@@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se
 
 You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
 
-The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
+The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
 
 You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
 
 ### Import an existing XML custom view
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
+1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
     -  Controlled folder access events custom view: *cfa-events.xml*
     -  Exploit protection events custom view: *ep-events.xml*
     -  Attack surface reduction events custom view: *asr-events.xml*