deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into whfb-changes

Browse Source
This commit is contained in:
Mapalko 2019-07-29 15:56:42 -07:00
commit b6696a81e4
35 changed files with 779 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/release-information/resolved-issues-windows-10-1903.yml
View File

@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Date resolved</td></tr>
<tr><td><div id='546msg'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><br>The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.<br><br><a href = '#546msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a></td><td>July 26, 2019 <br>02:00 PM PT</td></tr>
<tr><td><div id='533msg'></div><b>Loss of functionality in Dynabook Smartphone Link app</b><br>After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.<br><br><a href = '#533msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>July 11, 2019 <br>01:54 PM PT</td></tr>
<tr><td><div id='532msg'></div><b>Error attempting to update with external USB device or memory card attached </b><br>PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"<br><br><a href = '#532msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>July 11, 2019 <br>01:53 PM PT</td></tr>
<tr><td><div id='531msg'></div><b>Audio not working with Dolby Atmos headphones and home theater </b><br>Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.<br><br><a href = '#531msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>July 11, 2019 <br>01:53 PM PT</td></tr>
@ -55,6 +56,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='546msgdesc'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><div>The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0.&nbsp;You may also receive an error in the<strong> Application section </strong>of <strong>Windows Logs</strong> <strong>in</strong>&nbsp;<strong>Event Viewer&nbsp;</strong>with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.</div><div><br></div><div>This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.</div><div><br></div><div><strong>Affected platforms</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue was resolved in <a href='https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a>.</div><br><a href ='#546msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a></td><td>Resolved:<br>July 26, 2019 <br>02:00 PM PT<br><br>Opened:<br>June 28, 2019 <br>05:01 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='519msgdesc'></div><b>Event Viewer may close or you may receive an error when using Custom Views</b><div>When trying to expand, view, or create&nbsp;<strong>Custom Views&nbsp;</strong>in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using&nbsp;<strong>Filter Current Log</strong>&nbsp;in the&nbsp;<strong>Action&nbsp;</strong>menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue was resolved in <a href='https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a>.</div><br><a href ='#519msg'>Back to top</a></td><td>OS Build 18362.175<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503293' target='_blank'>KB4503293</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a></td><td>Resolved:<br>June 27, 2019 <br>10:00 AM PT<br><br>Opened:<br>June 12, 2019 <br>11:11 AM PT</td></tr>
</table>
"

6
windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
View File

@ -60,7 +60,8 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='540msg'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.<br><br><a href = '#540msgdesc'>See details ></a></td><td>OS Build 14393.3115<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='545msg'></div><b>Internet Explorer 11 and apps using the WebBrowser control may fail to render</b><br>JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.<br><br><a href = '#545msgdesc'>See details ></a></td><td>OS Build 14393.3085<br><br>July 09, 2019<br><a href ='https://support.microsoft.com/help/4507460' target='_blank'>KB4507460</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:58 PM PT</td></tr>
<tr><td><div id='542msg'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.<br><br><a href = '#542msgdesc'>See details ></a></td><td>OS Build 14393.3115<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:08 PM PT</td></tr>
<tr><td><div id='538msg'></div><b>SCVMM cannot enumerate and manage logical switches deployed on the host</b><br>For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.<br><br><a href = '#538msgdesc'>See details ></a></td><td>OS Build 14393.2639<br><br>November 27, 2018<br><a href ='https://support.microsoft.com/help/4467684' target='_blank'>KB4467684</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a></td><td>July 16, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='535msg'></div><b>Some applications may fail to run as expected on clients of AD FS 2016</b><br>Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)<br><br><a href = '#535msgdesc'>See details ></a></td><td>OS Build 14393.2941<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493473' target='_blank'>KB4493473</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a></td><td>July 16, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='530msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#530msgdesc'>See details ></a></td><td>OS Build 14393.3025<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503267' target='_blank'>KB4503267</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 10, 2019 <br>07:09 PM PT</td></tr>
@ -84,7 +85,8 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='540msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#540msg'>Back to top</a></td><td>OS Build 14393.3115<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='545msgdesc'></div><b>Internet Explorer 11 and apps using the WebBrowser control may fail to render</b><div>Internet Explorer 11 may fail to render some JavaScript after installing <a href='https://support.microsoft.com/help/4507460' target='_blank'>KB4507460</a>. You may also have issues with apps using JavaScript or the <strong>WebBrowser</strong> control, such as the present PowerPoint feature of Skype Meeting&nbsp;Broadcast.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server 2016</li></ul><div></div><div><strong>Workaround: </strong>To mitigate this issue, you need to <strong>Enable Script Debugging</strong> using one of the following ways.</div><div><br></div><div>You can configure the below registry key:</div><div>Registry setting: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main</div><div>Value: Disable Script Debugger</div><div>Type: REG_SZ</div><div>Data: no</div><div><br></div><div>Or you can <strong>Enable Script Debugging</strong> in <strong>Internet Settings</strong>. You can open <strong>Internet Setting</strong> by either typing <strong>Internet Settings</strong> into the search box on Windows or by selecting <strong>Internet Options</strong>&nbsp;in Internet Explorer. Once open, select <strong>Advanced</strong>&nbsp;then&nbsp;<strong>Browsing</strong> and finally, select <strong>Enable Script Debugging</strong>.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#545msg'>Back to top</a></td><td>OS Build 14393.3085<br><br>July 09, 2019<br><a href ='https://support.microsoft.com/help/4507460' target='_blank'>KB4507460</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:58 PM PT<br><br>Opened:<br>July 26, 2019 <br>04:58 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='542msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#542msg'>Back to top</a></td><td>OS Build 14393.3115<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507459' target='_blank'>KB4507459</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:08 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='530msgdesc'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><div>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing <a href='https://support.microsoft.com/help/4503267' target='_blank'>KB4503267</a> on a WDS server.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong></div><div>To mitigate this issue on an SCCM server:</div><ol><li>Verify Variable Window Extension&nbsp;is enabled.</li><li>Set the values of <strong>TFTP block size </strong>to <strong>4096</strong> and <strong>TFTP window size </strong>to <strong>1</strong>. For guidance on how to configure them<strong>, </strong>see <a href=\"https://docs.microsoft.com/en-us/sccm/osd/get-started/prepare-site-system-roles-for-operating-system-deployments#BKMK_RamDiskTFTP\" target=\"_blank\">Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points</a>.</li></ol><div><strong>Note </strong>Try the default values for <strong>TFTP block size </strong>and <strong>TFTP window size </strong>first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the <strong>Enable a PXE responder without Windows Deployment Service</strong> setting. For more information on this setting, see <a href=\"https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe\" target=\"_blank\">Install and configure distribution points in Configuration Manager</a>.</div><div><br></div><div>To mitigate this issue on a WDS server without SCCM:</div><ol><li>In WDS TFTP settings, verify Variable Window Extension&nbsp;is enabled.</li><li>In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.</li><li>In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.</li></ol><div><strong>Note </strong>Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#530msg'>Back to top</a></td><td>OS Build 14393.3025<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503267' target='_blank'>KB4503267</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 10, 2019 <br>07:09 PM PT<br><br>Opened:<br>July 10, 2019 <br>02:51 PM PT</td></tr>
</table>
"

4
windows/release-information/status-windows-10-1703.yml
View File

@ -60,7 +60,7 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='540msg'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.<br><br><a href = '#540msgdesc'>See details ></a></td><td>OS Build 15063.1955<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='542msg'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.<br><br><a href = '#542msgdesc'>See details ></a></td><td>OS Build 15063.1955<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:08 PM PT</td></tr>
<tr><td><div id='528msg'></div><b>Devices with Hyper-V enabled may receive BitLocker error 0xC0210000</b><br>Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.<br><br><a href = '#528msgdesc'>See details ></a></td><td>OS Build 15063.1805<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4499181' target='_blank'>KB4499181</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4507450' target='_blank'>KB4507450</a></td><td>July 09, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='520msg'></div><b>Difficulty connecting to some iSCSI-based SANs</b><br>Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.<br><br><a href = '#520msgdesc'>See details ></a></td><td>OS Build 15063.1839<br><br>May 28, 2019<br><a href ='https://support.microsoft.com/help/4499162' target='_blank'>KB4499162</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4509476' target='_blank'>KB4509476</a></td><td>June 26, 2019 <br>04:00 PM PT</td></tr>
<tr><td><div id='321msg'></div><b>Certain operations performed on a Cluster Shared Volume may fail</b><br>Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".<br><br><a href = '#321msgdesc'>See details ></a></td><td>OS Build 15063.1563<br><br>January 08, 2019<br><a href ='https://support.microsoft.com/help/4480973' target='_blank'>KB4480973</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
@ -79,7 +79,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='540msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#540msg'>Back to top</a></td><td>OS Build 15063.1955<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='542msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#542msg'>Back to top</a></td><td>OS Build 15063.1955<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507467' target='_blank'>KB4507467</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:08 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
</table>
"

4
windows/release-information/status-windows-10-1709.yml
View File

@ -60,7 +60,7 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='540msg'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.<br><br><a href = '#540msgdesc'>See details ></a></td><td>OS Build 16299.1296<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='542msg'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.<br><br><a href = '#542msgdesc'>See details ></a></td><td>OS Build 16299.1296<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:08 PM PT</td></tr>
<tr><td><div id='530msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#530msgdesc'>See details ></a></td><td>OS Build 16299.1217<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503284' target='_blank'>KB4503284</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 10, 2019 <br>07:09 PM PT</td></tr>
<tr><td><div id='520msg'></div><b>Difficulty connecting to some iSCSI-based SANs</b><br>Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.<br><br><a href = '#520msgdesc'>See details ></a></td><td>OS Build 16299.1182<br><br>May 28, 2019<br><a href ='https://support.microsoft.com/help/4499147' target='_blank'>KB4499147</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4509477' target='_blank'>KB4509477</a></td><td>June 26, 2019 <br>04:00 PM PT</td></tr>
<tr><td><div id='320msg'></div><b>Certain operations performed on a Cluster Shared Volume may fail</b><br>Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".<br><br><a href = '#320msgdesc'>See details ></a></td><td>OS Build 16299.904<br><br>January 08, 2019<br><a href ='https://support.microsoft.com/help/4480978' target='_blank'>KB4480978</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
@ -79,7 +79,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='540msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#540msg'>Back to top</a></td><td>OS Build 16299.1296<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='542msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#542msg'>Back to top</a></td><td>OS Build 16299.1296<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507465' target='_blank'>KB4507465</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:08 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='530msgdesc'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><div>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing <a href='https://support.microsoft.com/help/4503284' target='_blank'>KB4503284</a> on a WDS server.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong></div><div>To mitigate this issue on an SCCM server:</div><ol><li>Verify Variable Window Extension&nbsp;is enabled.</li><li>Set the values of <strong>TFTP block size </strong>to <strong>4096</strong> and <strong>TFTP window size </strong>to <strong>1</strong>. For guidance on how to configure them<strong>, </strong>see <a href=\"https://docs.microsoft.com/en-us/sccm/osd/get-started/prepare-site-system-roles-for-operating-system-deployments#BKMK_RamDiskTFTP\" target=\"_blank\">Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points</a>.</li></ol><div><strong>Note </strong>Try the default values for <strong>TFTP block size </strong>and <strong>TFTP window size </strong>first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the <strong>Enable a PXE responder without Windows Deployment Service</strong> setting. For more information on this setting, see <a href=\"https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe\" target=\"_blank\">Install and configure distribution points in Configuration Manager</a>.</div><div><br></div><div>To mitigate this issue on a WDS server without SCCM:</div><ol><li>In WDS TFTP settings, verify Variable Window Extension&nbsp;is enabled.</li><li>In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.</li><li>In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.</li></ol><div><strong>Note </strong>Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#530msg'>Back to top</a></td><td>OS Build 16299.1217<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503284' target='_blank'>KB4503284</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 10, 2019 <br>07:09 PM PT<br><br>Opened:<br>July 10, 2019 <br>02:51 PM PT</td></tr>
</table>
"

4
windows/release-information/status-windows-10-1803.yml
View File

@ -60,7 +60,7 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='540msg'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.<br><br><a href = '#540msgdesc'>See details ></a></td><td>OS Build 17134.915<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='542msg'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.<br><br><a href = '#542msgdesc'>See details ></a></td><td>OS Build 17134.915<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:08 PM PT</td></tr>
<tr><td><div id='530msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#530msgdesc'>See details ></a></td><td>OS Build 17134.829<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503286' target='_blank'>KB4503286</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 10, 2019 <br>07:09 PM PT</td></tr>
<tr><td><div id='520msg'></div><b>Difficulty connecting to some iSCSI-based SANs</b><br>Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.<br><br><a href = '#520msgdesc'>See details ></a></td><td>OS Build 17134.799<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4499183' target='_blank'>KB4499183</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4509478' target='_blank'>KB4509478</a></td><td>June 26, 2019 <br>04:00 PM PT</td></tr>
<tr><td><div id='498msg'></div><b>Startup to a black screen after installing updates</b><br>Your device may startup to a black screen during the first logon after installing updates.<br><br><a href = '#498msgdesc'>See details ></a></td><td>OS Build 17134.829<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503286' target='_blank'>KB4503286</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>June 14, 2019 <br>04:41 PM PT</td></tr>
@ -80,7 +80,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='540msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#540msg'>Back to top</a></td><td>OS Build 17134.915<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='542msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#542msg'>Back to top</a></td><td>OS Build 17134.915<br><br>July 16, 2019<br><a href ='https://support.microsoft.com/help/4507466' target='_blank'>KB4507466</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:08 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='530msgdesc'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><div>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing <a href='https://support.microsoft.com/help/4503286' target='_blank'>KB4503286</a> on a WDS server.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong></div><div>To mitigate this issue on an SCCM server:</div><ol><li>Verify Variable Window Extension&nbsp;is enabled.</li><li>Set the values of <strong>TFTP block size </strong>to <strong>4096</strong> and <strong>TFTP window size </strong>to <strong>1</strong>. For guidance on how to configure them<strong>, </strong>see <a href=\"https://docs.microsoft.com/en-us/sccm/osd/get-started/prepare-site-system-roles-for-operating-system-deployments#BKMK_RamDiskTFTP\" target=\"_blank\">Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points</a>.</li></ol><div><strong>Note </strong>Try the default values for <strong>TFTP block size </strong>and <strong>TFTP window size </strong>first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the <strong>Enable a PXE responder without Windows Deployment Service</strong> setting. For more information on this setting, see <a href=\"https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe\" target=\"_blank\">Install and configure distribution points in Configuration Manager</a>.</div><div><br></div><div>To mitigate this issue on a WDS server without SCCM:</div><ol><li>In WDS TFTP settings, verify Variable Window Extension&nbsp;is enabled.</li><li>In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.</li><li>In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.</li></ol><div><strong>Note </strong>Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#530msg'>Back to top</a></td><td>OS Build 17134.829<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503286' target='_blank'>KB4503286</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 10, 2019 <br>07:09 PM PT<br><br>Opened:<br>July 10, 2019 <br>02:51 PM PT</td></tr>
</table>
"

4
windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
View File

@ -64,7 +64,7 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='540msg'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.<br><br><a href = '#540msgdesc'>See details ></a></td><td>OS Build 17763.652<br><br>July 22, 2019<br><a href ='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='542msg'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.<br><br><a href = '#542msgdesc'>See details ></a></td><td>OS Build 17763.652<br><br>July 22, 2019<br><a href ='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:08 PM PT</td></tr>
<tr><td><div id='530msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#530msgdesc'>See details ></a></td><td>OS Build 17763.557<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503327' target='_blank'>KB4503327</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 10, 2019 <br>07:09 PM PT</td></tr>
<tr><td><div id='520msg'></div><b>Difficulty connecting to some iSCSI-based SANs</b><br>Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.<br><br><a href = '#520msgdesc'>See details ></a></td><td>OS Build 17763.529<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4497934' target='_blank'>KB4497934</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4509479' target='_blank'>KB4509479</a></td><td>June 26, 2019 <br>04:00 PM PT</td></tr>
<tr><td><div id='498msg'></div><b>Startup to a black screen after installing updates</b><br>Your device may startup to a black screen during the first logon after installing updates.<br><br><a href = '#498msgdesc'>See details ></a></td><td>OS Build 17763.557<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503327' target='_blank'>KB4503327</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>June 14, 2019 <br>04:41 PM PT</td></tr>
@ -85,7 +85,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='540msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#540msg'>Back to top</a></td><td>OS Build 17763.652<br><br>July 22, 2019<br><a href ='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='542msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#542msg'>Back to top</a></td><td>OS Build 17763.652<br><br>July 22, 2019<br><a href ='https://support.microsoft.com/help/4505658' target='_blank'>KB4505658</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:08 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='530msgdesc'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><div>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing <a href='https://support.microsoft.com/help/4503327' target='_blank'>KB4503327</a> on a WDS server.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong></div><div>To mitigate this issue on an SCCM server:</div><ol><li>Verify Variable Window Extension&nbsp;is enabled.</li><li>Set the values of <strong>TFTP block size </strong>to <strong>4096</strong> and <strong>TFTP window size </strong>to <strong>1</strong>. For guidance on how to configure them<strong>, </strong>see <a href=\"https://docs.microsoft.com/en-us/sccm/osd/get-started/prepare-site-system-roles-for-operating-system-deployments#BKMK_RamDiskTFTP\" target=\"_blank\">Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points</a>.</li></ol><div><strong>Note </strong>Try the default values for <strong>TFTP block size </strong>and <strong>TFTP window size </strong>first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the <strong>Enable a PXE responder without Windows Deployment Service</strong> setting. For more information on this setting, see <a href=\"https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe\" target=\"_blank\">Install and configure distribution points in Configuration Manager</a>.</div><div><br></div><div>To mitigate this issue on a WDS server without SCCM:</div><ol><li>In WDS TFTP settings, verify Variable Window Extension&nbsp;is enabled.</li><li>In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.</li><li>In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.</li></ol><div><strong>Note </strong>Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#530msg'>Back to top</a></td><td>OS Build 17763.557<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503327' target='_blank'>KB4503327</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 10, 2019 <br>07:09 PM PT<br><br>Opened:<br>July 10, 2019 <br>02:51 PM PT</td></tr>
</table>
"

8
windows/release-information/status-windows-10-1903.yml
View File

@ -65,7 +65,8 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='540msg'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.<br><br><a href = '#540msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='546msg'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><br>The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.<br><br><a href = '#546msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a></td><td>July 26, 2019 <br>02:00 PM PT</td></tr>
<tr><td><div id='542msg'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><br>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.<br><br><a href = '#542msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 26, 2019 <br>04:08 PM PT</td></tr>
<tr><td><div id='539msg'></div><b>Issues updating when certain versions of Intel storage drivers are installed</b><br>Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.<br><br><a href = '#539msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated External<br></td><td>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td><div id='536msg'></div><b>The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU</b><br>Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.<br><br><a href = '#536msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 16, 2019 <br>09:04 AM PT</td></tr>
<tr><td><div id='534msg'></div><b>Initiating a Remote Desktop connection may result in black screen</b><br>When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.<br><br><a href = '#534msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>July 12, 2019 <br>04:42 PM PT</td></tr>
@ -73,7 +74,6 @@ sections:
<tr><td><div id='532msg'></div><b>Error attempting to update with external USB device or memory card attached </b><br>PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"<br><br><a href = '#532msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>July 11, 2019 <br>01:53 PM PT</td></tr>
<tr><td><div id='531msg'></div><b>Audio not working with Dolby Atmos headphones and home theater </b><br>Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.<br><br><a href = '#531msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>July 11, 2019 <br>01:53 PM PT</td></tr>
<tr><td><div id='530msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#530msgdesc'>See details ></a></td><td>OS Build 18362.175<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503293' target='_blank'>KB4503293</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 10, 2019 <br>07:09 PM PT</td></tr>
<tr><td><div id='522msg'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><br>The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.<br><br><a href = '#522msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 01, 2019 <br>05:04 PM PT</td></tr>
<tr><td><div id='519msg'></div><b>Event Viewer may close or you may receive an error when using Custom Views</b><br>When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.<br><br><a href = '#519msgdesc'>See details ></a></td><td>OS Build 18362.175<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503293' target='_blank'>KB4503293</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a></td><td>June 27, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='476msg'></div><b>Windows Sandbox may fail to start with error code “0x80070002”</b><br>Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates<br><br><a href = '#476msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>June 10, 2019 <br>06:06 PM PT</td></tr>
<tr><td><div id='454msg'></div><b>Gamma ramps, color profiles, and night light settings do not apply in some cases</b><br>Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.<br><br><a href = '#454msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>11:02 AM PT</td></tr>
@ -97,7 +97,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='540msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms may not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#540msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='542msgdesc'></div><b>Domain connected devices that use MIT Kerberos realms will not start up</b><div>Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of <a href='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a>. Devices that are domain controllers or domain members are both affected.</div><div><br></div><div>If you are not sure if your device is affected, contact your administrator.&nbsp;Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -&gt; Policies -&gt; Administrative Templates &gt; System -&gt; Kerberos.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016</li></ul><div></div><div><strong>Next steps:</strong>&nbsp;At this time, we suggest that devices in an affected environment do not install <a href='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a>. We are working on a resolution and estimate a solution will be available in mid-August.</div><br><a href ='#542msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 26, 2019 <br>04:08 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='539msgdesc'></div><b>Issues updating when certain versions of Intel storage drivers are installed</b><div>Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).&nbsp;&nbsp;</div><div><br></div><div>To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST&nbsp;driver version between&nbsp;<strong>15.1.0.1002</strong>&nbsp;and&nbsp;<strong>15.5.2.1053</strong>&nbsp;installed from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.</div><div><br></div><div>Versions&nbsp;<strong>15.5.2.1054 or later</strong>&nbsp;are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update.&nbsp;For affected devices, the recommended version is <strong>15.9.6.1044</strong>.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li><li>Server: Windows Server, version 1903</li></ul><div></div><div><strong>Next steps: </strong>To resolve this issue, you will need to update the Intel RST drivers for your device to version&nbsp;<strong>15.5.2.1054&nbsp;</strong>or a later.&nbsp;&nbsp;Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at&nbsp;<a href=\"https://downloadcenter.intel.com/download/28656/Intel-Rapid-Storage-Technology-Intel-RST-User-Interface-and-Driver\" target=\"_blank\">Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver</a>.&nbsp;Once your drivers are updated, you can restart the installation process for the May 2019 Update.</div><div><br></div><div><strong>Note</strong>&nbsp;Until an updated driver has been installed, we recommend you do not attempt to manually update using the <strong>Update now&nbsp;</strong>button or the Media Creation Tool.&nbsp;</div><br><a href ='#539msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated External<br></td><td>Last updated:<br>July 25, 2019 <br>06:10 PM PT<br><br>Opened:<br>July 25, 2019 <br>06:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='536msgdesc'></div><b>The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU</b><div>Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.</div><div><br></div><div>To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until&nbsp;this issue is resolved.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Workaround:</strong> To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the <strong>Scan for hardware changes</strong> button in the <strong>Action </strong>menu or on the toolbar in Device Manager.</div><div><br></div><div><strong>Note</strong>&nbsp;We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until this issue has been resolved.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#536msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 16, 2019 <br>09:04 AM PT<br><br>Opened:<br>July 12, 2019 <br>04:20 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='534msgdesc'></div><b>Initiating a Remote Desktop connection may result in black screen</b><div>When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li><li>Server: Windows Server, version 1903</li></ul><div></div><div><strong>Next steps: </strong>We are working on a resolution that will be made available in upcoming release.</div><br><a href ='#534msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 12, 2019 <br>04:42 PM PT<br><br>Opened:<br>July 12, 2019 <br>04:42 PM PT</td></tr>
@ -110,7 +110,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='522msgdesc'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><div>The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0.&nbsp;You may also receive an error in the<strong> Application section </strong>of <strong>Windows Logs</strong> <strong>in</strong>&nbsp;<strong>Event Viewer&nbsp;</strong>with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.</div><div><br></div><div>This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.</div><div><br></div><div><strong>Affected platforms</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Workaround: </strong>To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings:</div><div><br></div><div>Set the value for the following group policy settings:</div><ol><li>Group Policy Path: Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry</li><li>Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)</li></ol><div><br></div><div>Or set the following registry value:</div><p class=\"ql-indent-1\">SubKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection</div><p class=\"ql-indent-1\">Setting: AllowTelemetry</div><p class=\"ql-indent-1\">Type: REG_DWORD</div><p class=\"ql-indent-1\">Value: 1, 2 or 3</div><div><br></div><div><strong>Note</strong>&nbsp;If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.</div><div><br></div><div><strong>Next Steps:</strong> We are working on a resolution and estimate a solution will be available in late July.</div><br><a href ='#522msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 01, 2019 <br>05:04 PM PT<br><br>Opened:<br>June 28, 2019 <br>05:01 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='546msgdesc'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><div>The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0.&nbsp;You may also receive an error in the<strong> Application section </strong>of <strong>Windows Logs</strong> <strong>in</strong>&nbsp;<strong>Event Viewer&nbsp;</strong>with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.</div><div><br></div><div>This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.</div><div><br></div><div><strong>Affected platforms</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue was resolved in <a href='https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a>.</div><br><a href ='#546msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a></td><td>Resolved:<br>July 26, 2019 <br>02:00 PM PT<br><br>Opened:<br>June 28, 2019 <br>05:01 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='519msgdesc'></div><b>Event Viewer may close or you may receive an error when using Custom Views</b><div>When trying to expand, view, or create&nbsp;<strong>Custom Views&nbsp;</strong>in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using&nbsp;<strong>Filter Current Log</strong>&nbsp;in the&nbsp;<strong>Action&nbsp;</strong>menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue was resolved in <a href='https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a>.</div><br><a href ='#519msg'>Back to top</a></td><td>OS Build 18362.175<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503293' target='_blank'>KB4503293</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a></td><td>Resolved:<br>June 27, 2019 <br>10:00 AM PT<br><br>Opened:<br>June 12, 2019 <br>11:11 AM PT</td></tr>
</table>
"

6
windows/release-information/windows-message-center.yml
View File

@ -49,12 +49,12 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='80%'>Message</td><td width='20%'>Date</td></tr>
<tr><td><b>Status update: Windows 10, version 1903 “D” release</b><br><div>The optional monthly “D” release for Windows 10, version 1903 will be available in the near term. Follow <a href='https://twitter.com/windowsupdate' target='_blank'>@WindowsUpdate</a> for the latest on the availability of this release.</div></td><td>July 24, 2019 <br>12:00 AM PT</td></tr>
<tr><td><a href = 'https://support.microsoft.com/help/4505903' target='_blank'><b>Status update: Windows 10, version 1903 “D” release now available</b></a><br><div>The optional monthly “D” release for Windows 10, version 1903 is now available. Follow <a href='https://twitter.com/windowsupdate' target='_blank'>@WindowsUpdate</a> for the latest on the availability of this release.</div></td><td>July 26, 2019 <br>02:00 PM PT</td></tr>
<tr><td><a href = 'https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support' target='_blank'><b>Plan for change: Microsoft Silverlight will reach end of support on October 12, 2021</b></a><br><div>After this date, Silverlight will not receive any future quality or security updates. Microsoft will continue to ship updates to the Silverlight 5 Developer Runtime for supported browsers and versions (Internet Explorer 10 and Internet Explorer 11); however, please note that support for Internet Explorer 10 will end on 31 January 2020. See the <a href='https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support' target='blank'>Silverlight end of support FAQ</a> for more details.</div></td><td>July 19, 2019 <br>12:00 AM PT</td></tr>
<tr><td><a href = 'https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/' target='_blank'><b>Evolving Windows 10 servicing and quality</b></a><br><div>Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the <a href='https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968' target='_blank'>Windows IT Pro Blog</a> for more details on how to plan for this new update option in your environment.</div></td><td>July 01, 2019 <br>02:00 PM PT</td></tr>
<tr><td><a href = '' target='_blank'><b>Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier</b></a><br><div>We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.</div></td><td>June 18, 2019 <br>02:00 PM PT</td></tr>
<tr><td><a href = '' target='_blank'><b>Windows 10, version 1903 available by selecting “Check for updates”</b></a><br><div>Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.</div></td><td>June 06, 2019 <br>06:00 PM PT</td></tr>
<tr><td><b>Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier</b><br><div>We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.</div></td><td>June 18, 2019 <br>02:00 PM PT</td></tr>
<tr><td><b>Windows 10, version 1903 available by selecting “Check for updates”</b><br><div>Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.</div></td><td>June 06, 2019 <br>06:00 PM PT</td></tr>
<tr><td><a href = 'https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97' target='_blank'><b>Windows 10, version 1903 rollout begins</b></a><br>The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.</td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
<tr><td><a href = 'https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064' target='_blank'><b>Whats new in Windows Update for Business</b></a><br>We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. </td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
<tr><td><a href = 'https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024' target='_blank'><b>Whats new for businesses and IT pros in Windows 10</b></a><br>Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. </td><td>May 21, 2019 <br>10:00 AM PT</td></tr>

15
windows/security/threat-protection/TOC.md
View File

@ -104,7 +104,20 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
##### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
##### [Advanced hunting schema reference]()
###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Custom detections]()

54
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md Normal file
View File

@ -0,0 +1,54 @@
---
title: AlertEvents table in the advanced hunting schema
description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# AlertEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| AlertId | string | Unique identifier for the alert |
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| Category | string | Type of threat indicator or breach activity identified by the alert |
| Title | string | Title of the alert |
| FileName | string | Name of the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| RemoteIP | string | IP address that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| Table | string | Table that contains the details of the event |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

73
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md Normal file
View File

@ -0,0 +1,73 @@
---
title: FileCreationEvents table in the Advanced hunting schema
description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# FileCreationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| FileOriginUrl | string | URL where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
| FileOriginIP | string | IP address where the file was downloaded from |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

66
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md Normal file
View File

@ -0,0 +1,66 @@
---
title: ImageLoadEvents table in the Advanced hunting schema
description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# ImageLoadEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

74
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md Normal file
View File

@ -0,0 +1,74 @@
---
title: LogonEvents table in the Advanced hunting schema
description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# LogonEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string |Type of activity that triggered the event |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| AdditionalFields | string | Additional information about the event in JSON array format |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

55
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md Normal file
View File

@ -0,0 +1,55 @@
---
title: MachineInfo table in the Advanced hunting schema
description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# MachineInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| OSBuild | string | Build version of the operating system running on the machine |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| RegistryMachineTag | string | Machine tag added through the registry |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| OSVersion | string | Version of the operating system running on the machine |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

56
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md Normal file
View File

@ -0,0 +1,56 @@
---
title: MachineNetworkInfo table in the Advanced hunting schema
description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# MachineNetworkInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| NetworkAdapterName | string | Name of the network adapter |
| MacAddress | string | MAC address of the network adapter |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
| DnsAddresses | string | DNS server addresses in JSON array format |
| IPv4Dhcp | string | IPv4 address of DHCP server |
| IPv6Dhcp | string | IPv6 address of DHCP server |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

87
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md Normal file
View File

@ -0,0 +1,87 @@
---
title: MiscEvents table in the advanced hunting schema
description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# MiscEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| AccountDomain | string | Domain of the account |
| AccountName |string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessCreationTime | datetime | Date and time the process was created |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| RemoteIP | string | IP address that was being connected to |
| RemotePort | int | TCP port on the remote device that was being connected to |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| FileOriginUrl | string | URL where the file was downloaded from |
| FileOriginIP | string | IP address where the file was downloaded from |
| AdditionalFields | string | Additional information about the event in JSON array format |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

70
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md Normal file
View File

@ -0,0 +1,70 @@
---
title: NetworkCommunicationEvents table in the Advanced hunting schema
description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# NetworkCommunicationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| RemoteIP | string | IP address that was being connected to |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| Protocol | string | IP protocol used, whether TCP or UDP |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

78
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md Normal file
View File

@ -0,0 +1,78 @@
---
title: ProcessCreationEvents table in the Advanced hunting schema
description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# ProcessCreationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| ProcessCreationTime | datetime | Date and time the process was created |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

119
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
View File

@ -1,6 +1,6 @@
---
title: Advanced hunting reference in Microsoft Defender ATP
description: Learn about Advanced hunting table reference such as column name, data type, and description
title: Advanced hunting schema reference
description: Learn about the tables in the advanced hunting schema
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 06/01/2018
ms.date: 07/24/2019
---
# Advanced hunting reference in Microsoft Defender ATP
@ -26,101 +26,28 @@ ms.date: 06/01/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Advanced hunting column reference
To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
## Advanced hunting table reference
| Column name | Data type | Description
:---|:--- |:---
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | string | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| Category | string | Type of threat indicator or breach activity identified by the alert |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if its connected publicly to the internet. |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| DnsAddresses | string | DNS server addresses in JSON array format |
| EventTime | datetime | Date and time when the event was recorded |
| FileName | string | Name of the file that the recorded action was applied to |
| FileOriginIp | string | IP address where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
| FileOriginUrl | string | URL where the file was downloaded from |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
| Ipv4Dhcp | string | IPv4 address of DHCP server |
| Ipv6Dhcp | string | IPv6 address of DHCP server |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br>
| MacAddress | string | MAC address of the network adapter |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MachineId | string | Unique identifier for the machine in the service |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| NetworkAdapterName | string | Name of the network adapter |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSBuild | string | Build version of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| OsVersion | string | Version of the operating system running on the machine |
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
| ProcessCommandline | string | Command line used to create the new process |
| ProcessCreationTime | datetime | Date and time the process was created |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| Protocol | string | IP protocol used, whether TCP or UDP |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| RegistryMachineTag | string | Machine tag added through the registry |
| Table | string | Table that contains the details of the event |
| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
| Table name | Description |
|------------|-------------|
| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
## Related topics
- [Query data using Advanced hunting](advanced-hunting.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)

68
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md Normal file
View File

@ -0,0 +1,68 @@
---
title: RegistryEvents table in the Advanced hunting schema
description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# RegistryEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -22,8 +22,6 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.

14
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -22,14 +22,13 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
>[!NOTE]
>Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
Before you can track and manage onboarding of machines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Discover and track unprotected machines
@ -39,8 +38,7 @@ The **Onboarding** card provides a high-level overview of your onboarding rate b
*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
>[!NOTE]
>- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
>- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
## Onboard more machines with Intune profiles
@ -66,10 +64,10 @@ From the overview, create a configuration profile specifically for the deploymen
3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
*Assigning the new agent profile to all machines*
*Assigning the new profile to all machines*
>[!TIP]
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign).
>To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

28
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -22,16 +22,15 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
>[!NOTE]
>Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
Before you can deploy and track compliance to security baselines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Compare the Microsoft Defender ATP and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
@ -44,17 +43,6 @@ Both baselines are maintained so that they complement one another and have ident
>[!NOTE]
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
## Get permissions to manage security baselines in Intune
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you havent been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create and assign a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with:
* Read permissions to the organization
* Full permissions to security baselines
![Security baseline permissions on Intune](images/secconmgmt_baseline_permissions.png)
*Security baseline permissions on Intune*
## Monitor compliance to the Microsoft Defender ATP security baseline
The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
@ -72,9 +60,7 @@ Each machine is given one of the following status types:
To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
>[!NOTE]
>During preview, you might encounter a few known limitations:
>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>- The Microsoft Defender ATP security baseline currently doesnt cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
## Review and assign the Microsoft Defender ATP security baseline
@ -83,7 +69,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
>[!TIP]
> Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
> Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.
2. Create a new profile.
@ -101,10 +87,10 @@ Machine configuration management monitors baseline compliance only of Windows 10
![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
*Assigning the security baseline profile on Intune*
5. Save the profile and deploy it to the assigned machine group.
5. Create the profile to save it and deploy it to the assigned machine group.
![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
*Saving and deploying the security baseline profile on Intune*
*Creating the security baseline profile on Intune*
>[!TIP]
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).

23
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -22,8 +22,6 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
@ -47,7 +45,7 @@ In doing so, you benefit from:
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
@ -55,12 +53,21 @@ Before you can ensure your machines are configured properly, enroll them to Intu
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Known issues and limitations in this preview
During preview, you might encounter a few known limitations:
- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
- The Microsoft Defender ATP security baseline currently doesnt cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
## Obtain required permissions
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline.
If you have been assigned other roles, ensure you have the necessary permissions:
- Full permissions to device configurations
- Full permissions to security baselines
- Read permissions to device compliance policies
- Read permissions to the organization
![Required permissions on intune](images/secconmgmt_intune_permissions.png)<br>
*Device configuration permissions on Intune*
>[!TIP]
>To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).
## In this section
Topic | Description

9
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -63,6 +63,9 @@ The machine will automatically be onboarded to your tenant with the recommended
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**.
@ -72,7 +75,7 @@ Automated investigation settings will be dependent on tenant settings. It will b
3. Select **Add machine**.
>[!NOTE]
>[!WARNING]
> The evaluation environment can only be provisioned up to three test machines. Each machine will only be available for three days from the day of activation.
![Image of add machine](images/evaluation-add-machine.png)
@ -89,6 +92,7 @@ Automated investigation settings will be dependent on tenant settings. It will b
The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation.
![Image of test machines](images/eval-lab-dashboard.png)
## Simulate attack scenarios
@ -98,6 +102,9 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
You can also use [Advanced hunting](advanced-hunting.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. Connect to your machine and run an attack simulation by selecting **Connect**.
![Image of the connect button for test machines](images/test-machine-table.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 75 KiB

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 31 KiB