deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into alhopper-mrmw-apps

Browse Source
This commit is contained in:
Allison Hopper - Microsoft 2018-05-07 07:17:58 -07:00
commit c0a545aca5
70 changed files with 1589 additions and 621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
browsers/edge/available-policies.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: high
ms.date: 4/30/2018 #Previsou release date 09/13/2017
ms.date: 4/30/2018
---
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@ -28,6 +28,26 @@ Microsoft Edge works with the following Group Policy settings to help you manage
Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\
## Allow a shared books folder
>*Supported versions: Windows 10, version 1803*<br>
>*Default setting: None*
You can configure Microsoft Edge to use a shared folder to store books from the Books Library.
If enabled, a shared books folder is allowed.
If disabled, a shared books folder not allowed.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks |
|Data type |Integer |
|Allowed values |<ul><li>**0** - No folder shared.</li><li>**1** - Use a shared folder.</li></ul> |
## Allow Address bar drop-down list suggestions
>*Supporteded versions: Windows 10, version 1703 or later*
@ -75,6 +95,23 @@ Your browsing data is the information that Microsoft Edge remembers and stores a
|Allowed values |<ul><li>**0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.</li><li>**1** - Browsing data is cleared on exit.</li></ul> |
## Allow configuration updates for the Books Library
>*Supported versions: Windows 10, version 1803*<br>
>*Default setting: Enabled or not configured*
Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or
not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary |
|Data type |Integer |
|Allowed values |<ul><li>**0** - Disable. Microsoft Edge cannot retrieve a configuration.</li><li>**1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.</li></ul> |
## Allow Cortana
>*Supported versions: Windows 10, version 1607 or later*
@ -104,6 +141,23 @@ F12 developer tools is a suite of tools to help you build and debug your webpage
|Data type | Integer |
|Allowed values |<ul><li>**0** - The F12 Developer Tools are disabled.</li><li>**1 (default)** - The F12 Developer Tools are enabled.</li></ul> |
## Allow extended telemetry for the Books tab
>*Supported versions: Windows 10, version 1803*<br>
>*Default setting: Disabled or not configured*
If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are
reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic
diagnostic data, depending on your device configuration, is sent to Microsoft.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Browser/[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry |
|Data type |Integer |
|Allowed values |<ul><li>**0 (default)** - Disable. No additional diagnostic data.</li><li>**1** - Enable. Additional diagnostic data for schools.</li></ul> |
## Allow Extensions
>*Supporteded versions: Windows 10, version 1607 or later*
@ -167,7 +221,13 @@ For more information, see [Microsoft browser extension policy](https://docs.micr
## Allow web content on New Tab page
>*Supported versions: Windows 10*
This policy setting lets you configure what appears when a New Tab page is opened in Microsoft Edge. By default, this setting is disabled or not configured, which means you cannot customize their New Tab page. If enabled, you can customize their New Tab page.
This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page.
If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it.
If you don't configure this setting, employees can choose how new tabs appears.
## Always Enable book library
@ -246,29 +306,12 @@ This policy setting specifies whether Do Not Track requests to websites is allow
## Configure Favorites
>*Supported versions: Windows 10, version 1709*
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their favorites by adding or removing items at any time.
This policy setting allows you to configure a default list of Favorites that appear for your employee, which they cannot modify, sort, move, export or delete. By default, this setting is disabled or not configured allowing you to customize the Favorites list, such as adding folders to organize their favorites. If enabled, you are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off.
If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.
Specify the URL which points to the file that has all the data for provisioning favorites (in html format).
URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html"
You can export a set of favorites from Edge and use that html file for provisioning user machines.
>[!Important]
>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites |
|Data type | String |
If you disable or don't configure this setting, employees will see the Favorites that they set in the Favorites hub.
## Configure Password Manager
@ -495,6 +538,7 @@ This policy setting specifies whether Microsoft can collect information to creat
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.</li><li>**1** - Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.</li></ul> |
## Prevent the First Run webpage from opening on Microsoft Edge
>*Supported versions: Windows 10, version 1703 or later*
@ -524,6 +568,33 @@ This policy setting specifies whether localhost IP address are visible or hiddle
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Shows an employee's LocalHost IP address while using the WebRTC protocol.</li><li>**1** - Does not show an employee's LocalHost IP address while using the WebRTC protocol.</li></ul> |
## Provision Favorites
>*Supported versions: Windows 10, version 1709*
You can configure a default list of favorites that appear for your users in Microsoft Edge.
If disabled or not configured, a default list of favorites is not defined in Microsoft Edge. In this case, users can customize the Favorites list, such as adding folders for organizing, adding, or removing favorites.
If enabled, a default list of favorites is defined for users in Microsoft Edge. Users are not allowed to add, import, or change the Favorites list. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
To define a default list of favorites, you can export favorites from Microsoft Edge and use the HTML file for provisioning user machines. In HTML format, specify the URL which points to the file that has all the data for provisioning favorites.
URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html"
>[!Important]
>You can only enable either this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy, but not both. Enabling both stops you from syncing favorites between Internet Explorer and Microsoft Edge.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites |
|Data type | String |
## Send all intranet sites to Internet Explorer 11
>*Supported versions: Windows 10*
@ -572,8 +643,5 @@ This policy setting specifies whether you see an additional page in Microsoft Ed
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Doesnt show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul> |
## Related topics
* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)

1
browsers/edge/microsoft-browser-extension-policy-include.md Normal file
View File

@ -0,0 +1 @@
[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy)

2
browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
View File

@ -101,7 +101,7 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe
Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
## Out-of-date ActiveX control blocking on managed devices
Out-of-date ActiveX control blocking includes 4 new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
### Group Policy settings
Heres a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration.

179
browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
View File

@ -3,12 +3,14 @@ ms.localizationpriority: low
ms.mktglfcycl: support
ms.pagetype: security
description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
author: eross-msft
author: shortpatti
ms.author: pashort
ms.manager: elizapo
ms.prod: ie11
ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91
title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
ms.date: 04/24/2018
---
@ -24,14 +26,14 @@ ms.date: 07/27/2017
The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update.
**Important**<br>
The IE11 Blocker Toolkit doesn't stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you've installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
>[!IMPORTANT]
>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
**To install the toolkit**
## Install the toolkit
1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745).
2. Accept the license agreement and store the included 4 files on your local computer.
2. Accept the license agreement and store the included four files on your local computer.
3. Start an elevated Command Prompt by going to **Start**&gt;**All Programs**&gt;**Accessories**&gt; right-clicking on **Command Prompt**, and then choosing **Run as Administrator**.
@ -44,9 +46,168 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op
For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063).
 
 
## Automatic updates
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
### Automatic delivery process
Internet Explorer 11 only downloads and installs if its available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. Users without local administrator accounts wont be prompted to install the update and will continue using their current version of Internet Explorer.
Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you dont want Internet Explorer 11, and youre running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. 
### Internet Explorer 11 automatic upgrades
Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11.
Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update.
### Options for blocking automatic delivery
If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following:
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
>[!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq).
- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
>[!NOTE]
>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
### Prevent automatic installation of Internet Explorer 11 with WSUS
Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if youve configured WSUS to “auto-approve” Update Rollup packages, itll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to:
1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
2. Expand *ComputerName*, and then click **Options**.
3. Click **Automatic Approvals**.
4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.**
>[!NOTE]
>If you dont see a rule like this, you most likely havent configured WSUS to automatically approve Update Rollups for installation. In this situation, you dont have to do anything else.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
>[!NOTE]
>The properties for this rule will resemble the following:<ul><li>When an update is in Update Rollups</li><li>Approve the update for all computers</li></ul>
6. Clear the **Update Rollup** check box, and then click **OK**.
7. Click **OK** to close the **Automatic Approvals** dialog box.
After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it wont be automatically installed.
1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
2. Expand *ComputerName*, and then click **Synchronizations**.
3. Click **Synchronize Now**.
4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
5. Choose **Unapproved** in the **Approval**drop down box.
6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
>[!NOTE]
>There may be multiple updates, depending on the imported language and operating system updates.
### Optional - Reset update rollups packages to auto-approve
1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
2. Expand *ComputerName*, and then click **Options**.
3. Click **Automatic Approvals**.
4. Click the rule that automatically approves updates of different classifications, and then click **Edit**.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
6. Check the **Update Rollups** check box, and then click **OK**.
7. Click **OK** to close the **Automatic Approvals** dialog box.
>[!NOTE]
>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server wont cause this update to be auto-approved.
## <a name="faq"></a>Frequently Asked Questions 
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
### Automatic updates delivery process
**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
A. We encourage anyone who wants full control over their companys deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
**Q. How long does the blocker mechanism work?**
A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isnt removed or changed.
**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why cant I just disable all of utomatic Updates?**
A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your users computers.
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that cant use WSUS, Configuration Manager, or other update management solution.
**Q. Why dont we just block URL access to Windows Update or Microsoft Update?**
A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
### How the Internet Explorer 11 Blocker Toolkit works
**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
**Q. Whats the registry key used to block delivery of Internet Explorer 11?**
A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
**Q. Whats the registry key name and values?**
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11
using Automatic Updates and turns off the Express install option.
- Not providing a registry key, or using a value of anything other than **1**,
lets the user install Internet Explorer 11 through Automatic Updates or a
manual update.
**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
**Q. How does the provided script work?**
A. The script accepts one of two command line options:
- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
**Q. Whats the ADM template file used for?**
A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
**Q. Is the tool localized?**
A. No. The tool isnt localized, its only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
### Internet Explorer 11 Blocker Toolkit and other update services
**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like SUS?**
A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that dont use upgrade management solutions.
**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
A. You only need to change your settings if:
- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
- You dont want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now.
If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) for more information on how to prevent automatic installation.

58
browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
View File

@ -145,8 +145,62 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
|Always in IE11 |Links always open in IE. |
|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
| | | |
|---------|---------|---------|
|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
**Q. What are the different modes available for the Internet Explorer Customization Wizard?**
The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md).
The following table displays which pages are available in IEAK 11, based on the licensing mode:
| **Wizard Pages** | **External** | **Internal** |
|-------------------------------------------|--------------|--------------|
| Welcome to the IEAK | Yes | Yes |
| File Locations | Yes | Yes |
| Platform Selection | Yes | Yes |
| Language Selection | Yes | Yes |
| Package Type Selection | Yes | Yes |
| Feature Selection | Yes | Yes |
| Automatic Version Synchronization | Yes | Yes |
| Custom Components | Yes | Yes |
| Corporate Install | No | Yes |
| User Experience | No | Yes |
| Browser User Interface | Yes | Yes |
| Search Providers | Yes | Yes |
| Important URLs - Home page and Support | Yes | Yes |
| Accelerators | Yes | Yes |
| Favorites, Favorites Bar, and Feeds | Yes | Yes |
| Browsing Options | No | Yes |
| First Run Wizard and Welcome Page Options | Yes | Yes |
| Compatibility View | Yes | Yes |
| Connection Manager | Yes | Yes |
| Connection Settings | Yes | Yes |
| Automatic Configuration | No | Yes |
| Proxy Settings | Yes | Yes |
| Security and Privacy Settings | No | Yes |
| Add a Root Certificate | Yes | No |
| Programs | Yes | Yes |
| Additional Settings | No | Yes |
| Wizard Complete | Yes | Yes |
## Related topics
- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)

13
browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
View File

@ -2,25 +2,28 @@
ms.localizationpriority: low
ms.mktglfcycl: plan
description: A list of steps to follow before you start to create your custom browser installation packages.
author: eross-msft
author: shortpatti
ms.author: pashort
ms.manager: elizapo
ms.prod: ie11
ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4
title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
ms.date: 04/24/2018
---
# Before you start using IEAK 11
Go through this list, making sure youve answered all of the questions before you run Internet Explorer Administration Kit 11 (IEAK 11) and the Customization Wizard.
Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md).
- Have you gotten all of the URLs youll need so you can customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md).
- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md).
- Have you reviewed the security features, determining how you want to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md).
- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md).
- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly?

43
browsers/internet-explorer/ie11-ieak/index.md
View File

@ -12,15 +12,50 @@ ms.date: 07/27/2017
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
**Important**<br>
Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
>[!IMPORTANT}
>Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
## IEAK 11 users
IEAK 11 includes programs and tools that enterprises can use to customize, deploy, and administer Internet Explorer 11 for employee devices, while Internet service and content providers can use the same programs and tools to customize, deploy, and administer Internet Explorer 11 for customers.
Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
IEAK 10 and newer includes the ability to install using one of the following installation modes:
- Internal
- External
>[!NOTE]
>IEAK 11 works in network environments, with or without Microsoft Active Directory service.
### Corporations
IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
### Internet service providers
IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
### Internet content providers
IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
### Independent software vendors
IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
## Included technology
IEAK 11 includes the following technology:
- **Internet Explorer Customization Wizard.** This wizard guides you through the process of creating custom browser packages. After these packages are installed on your user's desktop, the user receives customized versions of Internet Explorer 11, with the settings and options you selected through the wizard.
- **Windows Installer (MSI).** IEAK 11 supports creating an MSI wrapper for your custom Internet Explorer 11 packages, enabling you to use Active Directory to deploy the package to your user's PC.
- **IEAK Help.** IEAK 11 Help includes many conceptual and procedural topics, which you can view from the **Index**, **Contents**, or **Search** tabs. You also have the option to print any topic, or the entire Help library.
IEAK 11 works in network environments, with or without Microsoft Active Directory service.
## Naming conventions
IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 Update and newer versions of the Windows operating system:

54
browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
View File

@ -14,10 +14,13 @@ ms.date: 05/02/2018
# Determine the licensing version and features to use in IEAK 11
You must pick a version of IEAK 11 to run during installation, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can pick from, the steps youll have to follow to deploy your Internet Explorer 11 package, and how youll manage the browser after deployment.
In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11) (IEAK 11, the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If youre an ISP or an ICP, your license agreement also says that you have to show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.<p>
**Important**<br>Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
>[!IMPORTANT]
>Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
@ -52,3 +55,48 @@ You must pick a version of IEAK 11 to run during installation, either **Externa
|Additional settings |Not available |
|Wizard complete |Wizard complete |
## Customization guidelines
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
- **External Distribution**
This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
- **Internal Distribution**
This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
The table below identifies which customizations you may or may not perform based on the mode you selected.
| **Feature Name** | **External Distribution** | **Internal Distribution** |
|---------------------------------|----------------------|-------------------|
| **Custom Components** | Yes | Yes |
| **Title Bar** | Yes | Yes |
| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
| **Search Provider URLs** | Yes | Yes |
| **Search Guide URL** | No | Yes |
| **Online Support URL** | Yes | Yes |
| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
| **Browsing Options** | No | Yes |
| **Security and Privacy Settings** | No | Can add any number of sites. |
| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
| **User Experience** (Setup/Restart) | No | Yes |
| **User Agent String** | Yes | Yes |
| **Compatibility View** | Yes | Yes |
| **Connection Settings and Manage** | Yes | Yes |
Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options).
## Distribution guidelines
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
- **External Distribution**
You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)].
- **Internal Distribution - corporate intranet**
The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.

55
browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
View File

@ -2,7 +2,8 @@
ms.localizationpriority: low
ms.mktglfcycl: support
description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
author: eross-msft
author: shortpatti
ms.author: pashort
ms.prod: ie11
ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4
title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros)
@ -14,8 +15,8 @@ ms.date: 07/27/2017
# Troubleshoot custom package and IEAK 11 problems
While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
## I cant locate some of the wizard pages
The most common reasons you wont see certain pages is because:
## I am unable to locate some of the wizard pages
The most common reasons you will not see certain pages is because:
- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
@ -23,7 +24,7 @@ The most common reasons you wont see certain pages is because:
- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md).
## Internet Explorer Setup fails on employee devices
## Internet Explorer Setup fails on user's devices
Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure.
### Main.log file codes
@ -61,18 +62,60 @@ To address connection issues (for example, as a result of server problems) where
Where `<path>` represents the folder location where you stored IE11setup.exe.
## Employees cant uninstall IE
If you cant uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information isnt on the computer. To fix this issue, you should:
## Users cannot uninstall IE
If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should:
1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown.
2. Try to manually uninstall IE. Go to the backup folder, `<system_drive>:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`.
 
## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets
The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp).
1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**.
2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory.
 
## Unicode characters are not supported in IEAK 11 path names
While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built.
## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings
Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage).
## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option
The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page.
Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**.
## F1 does not activate Help on Automatic Version Synchronization page
Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page.
## Certificate installation does not work on IEAK 11
IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe).
>[!NOTE]
>This applies only when using the External licensing mode of IEAK 11.
## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11
When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language.
>[!NOTE]
>This applies only when using the Internal licensing mode of IEAK 11.
To work around this issue, run the customization wizard following these steps:
1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11.
2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page.
3. After synchronization is complete, cancel the wizard.
4. Repeat these steps for each platform on the Platform Selection page.
After performing these steps, you must still do the following each time you synchronize a new language and platform:
1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder.
2. Open the **Policies** folder, and then open the appropriate platform folder.
3. Copy the contents of the matching-language folder into the new language folder.
After completing these steps, the Additional Settings page matches your wizards language.
## Unable to access feeds stored in a subfolder
Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail.

2
education/windows/TOC.md
View File

@ -21,6 +21,6 @@
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](s-mode-switch-to-edu.md)
## [Switch to Windows 10 Pro Education from Windows 10 Pro](switch-to-pro-education.md)
## [Change to Windows 10 Pro Education from Windows 10 Pro](change-to-pro-education.md)
## [Chromebook migration guide](chromebook-migration-guide.md)
## [Change history for Windows 10 for Education](change-history-edu.md)

62
education/windows/switch-to-pro-education.md → education/windows/change-to-pro-education.md
View File

@ -16,8 +16,8 @@ ms.date: 04/30/2018
Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario.
- [change from Windows 10 Pro in S mode to Windows 10 Pro Education in S mode](https://www.microsoft.com/en-us/education/windows/s-mode-change-to-edu)
- [change from Windows 10 Pro to Windows 10 Pro Education](#change-from-windows-10-pro-to-windows-10-pro-education)
- [Switch from Windows 10 Pro in S mode to Windows 10 Pro Education in S mode](https://www.microsoft.com/en-us/education/windows/s-mode-change-to-edu)
- [Switch from Windows 10 Pro to Windows 10 Pro Education](#switch-from-windows-10-pro-to-windows-10-pro-education)
To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance.
@ -37,7 +37,7 @@ You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsFor
For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
## change from Windows 10 Pro to Windows 10 Pro Education
## Change from Windows 10 Pro to Windows 10 Pro Education
For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education.
@ -49,7 +49,7 @@ In this scenario:
See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to do this.
### change using Intune for Education
### Change using Intune for Education
1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to.
@ -66,7 +66,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f
3. The change will automatically be applied to the group you selected.
### change using Windows Configuration Designer
### Change using Windows Configuration Designer
You can use Windows Configuration Designer to create a provisioning package that you can use to change the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package.
1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions.
@ -81,7 +81,7 @@ You can use Windows Configuration Designer to create a provisioning package that
For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain).
### change using the Activation page
### Change using the Activation page
1. On the Windows device that you want to change, open the **Settings** app.
2. Select **Update & security** > **Activation**, and then click **Change product key**.
@ -103,7 +103,7 @@ When you change to Windows 10 Pro Education, you get the following benefits:
See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info.
### change using Microsoft Store for Education
### Change using Microsoft Store for Education
Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices.
**To turn on the automatic change to Windows 10 Pro Education**
@ -113,24 +113,24 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
2. Click **Manage** from the top menu and then select the **Benefits tile**.
3. In the **Benefits** tile, look for the **change to Windows 10 Pro Education for free** link and then click it.
3. In the **Benefits** tile, look for the **Change to Windows 10 Pro Education for free** link and then click it.
4. In the **change all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will change all domain-joined devices running Windows 10 Pro in my organization**.
4. In the **Change all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will change all domain-joined devices running Windows 10 Pro in my organization**.
**Figure 4** - Check the box to confirm
**Figure 3** - Check the box to confirm
![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png)
5. Click **change all my devices**.
5. Click **Change all my devices**.
A confirmation window pops up to let you know that an email has been sent to you to enable the change.
6. Close the confirmation window and check the email to proceed to the next step.
7. In the email, click the link to **change to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal.
7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal.
8. Click **change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store.
8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store.
You will see a window that confirms you've successfully changeed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device.
You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device.
9. Click **Close** in the **Success** window.
@ -142,7 +142,7 @@ Enabling the automatic change also triggers an email message notifying all globa
So what will users experience? How will they change their devices?
### For existing Azure AD joined devices
Existing Azure AD domain joined devices will be changeed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
### For new devices that are not Azure AD joined
Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition.
@ -163,13 +163,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**.
**Figure 7** - Select how you'd like to set up the device
**Figure 4** - Select how you'd like to set up the device
![Select how you'd like to set up the device](images/1_howtosetup.png)
2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
**Figure 8** - Enter the account details
**Figure 5** - Enter the account details
![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png)
@ -182,21 +182,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
1. Go to **Settings > Accounts > Access work or school**.
**Figure 9** - Go to **Access work or school** in Settings
**Figure 6** - Go to **Access work or school** in Settings
![Go to Access work or school in Settings](images/settings_workorschool_1.png)
2. In **Access work or school**, click **Connect**.
3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
**Figure 10** - Select the option to join the device to Azure Active Directory
**Figure 7** - Select the option to join the device to Azure Active Directory
![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png)
4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
**Figure 11** - Verify the device connected to Azure AD
**Figure 8** - Verify the device connected to Azure AD
![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png)
@ -210,7 +210,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
You can verify the Windows 10 Pro Education in **Settings &gt; Update & Security &gt; Activation**.
**Figure 12** - Windows 10 Pro Education in Settings
**Figure 9** - Windows 10 Pro Education in Settings
<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
@ -225,12 +225,12 @@ In some instances, users may experience problems with the Windows 10 Pro Educat
Use the following figures to help you troubleshoot when users experience these common problems:
**Figure 13** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education change is active.
**Figure 10** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education change is active.
<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" /></br></br>
**Figure 14** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active.
**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active.
<img src="images/win-10-pro-edu-not-activated-subscription-active.png" alt="Windows 10 not activated and subscription active" /></br></br>
@ -260,7 +260,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined
A popup window will display the Windows 10 version number and detailed OS build information.
> [!NOTE]
> If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be changeed to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
> If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be changed to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
### Roll back Windows 10 Pro Education to Windows 10 Pro
@ -269,10 +269,10 @@ If your organization has the Windows 10 Pro to Windows 10 Pro Education change e
- Logging into Microsoft Store for Education page and turning off the automatic change.
- Selecting the link to turn off the automatic change from the notification email sent to all global administrators.
Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changeed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was changeed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
> [!NOTE]
> Devices that were changeed from mode to Windows 10 Pro Education cannot roll back to Windows 10 Pro Education S mode.
> Devices that were changed from mode to Windows 10 Pro Education cannot roll back to Windows 10 Pro Education S mode.
**To roll back Windows 10 Pro Education to Windows 10 Pro**
@ -280,7 +280,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change
2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
**Figure 15** - Revert to Windows 10 Pro
**Figure 12** - Revert to Windows 10 Pro
![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png)
@ -296,9 +296,9 @@ If you have on-premises Active Directory Domain Services (AD DS) domains, users
You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
Figure 11 illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
(Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
**Figure 16** - On-premises AD DS integrated with Azure AD
**Figure 13** - On-premises AD DS integrated with Azure AD
![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
@ -308,6 +308,6 @@ For more information about integrating on-premises AD DS domains with Azure AD,
## Related topics
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)<BR>
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)<BR>
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)

5
education/windows/s-mode-switch-to-edu.md
View File

@ -51,8 +51,8 @@ However, in some limited scenarios, you might need to switch to Windows 10 Educa
**Switch using the Microsoft Store for Education**<BR>
There are two switch options available using the Microsoft Store for Education:
Tenant-wide Windows 10 Pro in S mode > Pro EDU in S mode <BR>
Tenant-wide Windows 10 Pro > Pro EDU
Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode <BR>
Tenant-wide Windows 10 Pro > Pro Education
> [!NOTE]
> To rollback to Windows 10 Pro in S mode, a BMR factory reset must be performed.
@ -67,6 +67,7 @@ Tenant-wide Windows 10 Pro > Pro EDU
> There is currently no "bulk-switch" option for devices running Windows 10, version 1803.
## Related Topics
[FAQs](https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq)<br>
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)<BR>
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) <BR>
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)

4
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1264,10 +1264,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:</p>
<ul>

5
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
ms.sitesec: library
author: lizap
ms.author: elizapo
ms.date: 04/27/2018
ms.date: 05/03/2018
---
# Features removed or planned for replacement starting with Windows 10, version 1803
@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that youll only see mail for work and school organization accounts and some Office 365 accounts.|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
## Features were no longer developing
@ -50,3 +50,4 @@ If you have feedback about the proposed replacement of any of these features, yo
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.|
|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|

6
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -339,6 +339,10 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group.
## Known issues
The following article describes the known challenges that can occur when you manage a Windows 10 Group policy client base:
- [Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv)
## Related topics
- [Update Windows 10 in the enterprise](index.md)
@ -356,4 +360,4 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
- [Manage device restarts after updates](waas-restart.md)

3
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 04/05/2018
ms.date: 05/02/2018
---
# Frequently asked questions and troubleshooting Windows Analytics
@ -23,7 +23,6 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Device Health crash data not appearing](#device-health-crash-data-not-appearing)
[Upgrade Readiness reports outdated updates](#upgrade-readiness-reports-outdated-updates)
[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)

8
windows/deployment/upgrade/quick-fixes.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 04/18/2018
ms.date: 05/03/2018
ms.localizationpriority: high
---
@ -22,9 +22,9 @@ ms.localizationpriority: high
The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/en-us/products/windows?os=windows-10).
The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. To talk to a person about your issue, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times.
The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times.
You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can also just download the tool and run it with no advanced options. You must understand how to download and then run the program from an [elevated command prompt](#open-an-elevated-command-prompt).
>You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis.
## List of fixes
@ -217,6 +217,8 @@ When you run Disk Cleanup and enable the option to Clean up system files, you ca
### Open an elevated command prompt
>It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool.
To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7).
Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23).

78
windows/deployment/upgrade/resolution-procedures.md
View File

@ -675,6 +675,84 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
</table>
## Modern setup errors
Also see the following sequential list of modern setup (mosetup) error codes with a brief description of the cause.
| Result code | Message | Description |
| --- | --- | --- |
| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. |
| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. |
| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. |
| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. |
| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. |
| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. |
| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. |
| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. |
| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. |
| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. |
| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. |
| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. |
| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. |
| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. |
| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. |
| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. |
| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. |
| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. |
| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. |
| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. |
| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. |
| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. |
| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. |
| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. |
| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. |
| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. |
| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. |
| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. |
| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. |
| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. |
| 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation
| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. |
| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. |
| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. |
| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. |
| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. |
| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. |
| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. |
| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. |
| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. |
| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. |
| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. |
| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. |
| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. |
| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. |
| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. |
| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. |
| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. |
| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. |
| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. |
| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. |
| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. |
| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. |
| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. |
| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. |
| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. |
| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. |
| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has use the setup.exe command line to do scanonly, not to install the OS. |
| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. |
| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. |
| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. |
| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. |
| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. |
| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. |
| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. |
| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. |
| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. |
| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. |
| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. |
| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. |
| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. |
## Related topics
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)

229
windows/deployment/upgrade/setupdiag.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 04/11/2018
ms.date: 05/02/2018
ms.localizationpriority: high
---
@ -104,81 +104,157 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump
## Known issues
1. Some rules can take a long time to process if the log files involved are large.
2. SetupDiag only outputs data in a text format. If another format is desired, please provide this [feedback](#feedback).
2. SetupDiag only outputs data in a text format.
3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode.
## Sample output
The following is an example where SetupDiag is run in offline mode. In this example, it is found that disk space is not sufficient to complete Windows Setup:
The following is an example where SetupDiag is run in offline mode. In this example, there is an application warning, but since setup is executed in /quiet mode so it becomes a block. Instructions to resolve the problem are provided by SetupDiag in the output.
The output also provides an error code 0xC1900208 - 0x4000C which corresponds to a compatibility issue as documented in the [Upgrade error codes](upgrade-error-codes.md#result-codes) and [Resolution procedures](resolution-procedures.md#modern-setup-errors) topics in this article.
```
C:\setupdiag>SetupDiag /Output:C:\setupdiag\results.log /Mode:Offline /LogsPath:C:\setupdiag\logfiles
SetupDiag v1.00
Copyright (c) Microsoft Corporation. All rights reserved.
C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:C:\Temp\BobMacNeill
SetupDiag v1.01
Copyright (c) Microsoft Corporation. All rights reserved
Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait.
Found 1 setupact.logs.
Processing setupact.log 1 of 1
Found 4 setupact.logs.
Processing setupact.log at: c:\temp\bobmacneill\$WINDOWS.~BT\Sources\Panther\setupact.log
Processing setupact.log at: c:\temp\bobmacneill\Panther\setupact.log
Processing setupact.log at: c:\temp\bobmacneill\Panther\NewOs\Panther\setupact.log
Processing setupact.log at: c:\temp\bobmacneill\Panther\UnattendGC\setupact.log
Found c:\temp\bobmacneill\$WINDOWS.~BT\Sources\Panther\setupact.log with update date 03/29/2018 23:13:58 and CV: H2X+YsWL/UOkj/8X to be the correct setup log.
Gathering information from setup logs.
SetupDiag: processing rule: CompatScanOnly.
...No match.
..No match.
SetupDiag: processing rule: BitLockerHardblock.
...No match.
..No match.
SetupDiag: processing rule: VHDHardblock.
...No match.
..No match.
SetupDiag: processing rule: PortableWorkspaceHardblock.
...No match.
..No match.
SetupDiag: processing rule: AuditModeHardblock.
...No match.
..No match.
SetupDiag: processing rule: SafeModeHardblock.
...No match.
..No match.
SetupDiag: processing rule: InsufficientSystemPartitionDiskSpaceHardblock.
...No match.
..No match.
SetupDiag: processing rule: CompatBlockedApplicationAutoUninstall.
....No match.
SetupDiag: processing rule: HardblockApplication.
...No match.
SetupDiag: processing rule: CompatBlockedApplicationDismissable.
....
Matching Profile found: CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9
Warning: Found Application Block for: "Microsoft Endpoint Protection".
This is a dismissible message when not running setup.exe in "/quiet" mode.
Consider specifying "/compat /ignore warning" to ignore these dismissible warnings.
You must manually uninstall "Microsoft Endpoint Protection" before continuing with the installation/update, or change the command line parameters to ignore warnings.
For more information about Setup command line switches, see here:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options
SetupDiag: processing rule: CompatBlockedApplicationManualUninstall.
....No match.
SetupDiag: processing rule: HardblockDeviceOrDriver.
...No match.
....No match.
SetupDiag: processing rule: HardblockMismatchedLanguage.
..No match.
SetupDiag: processing rule: HardblockFlightSigning.
..No match.
SetupDiag: processing rule: DiskSpaceBlockInDownLevel.
...
..No match.
Matching Profile found: DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
Warning: Found Disk Space Hard Block.
Warning: You must free up at least 6603 MB of space on the System Drive, and try again.
SetupDiag: processing rule: DiskSpaceFailure.
..No match.
SetupDiag: processing rule: DebugSetupMemoryDump.
.No match.
SetupDiag: processing rule: DebugSetupCrash.
.No match.
SetupDiag: processing rule: DebugMemoryDump.
.No match.
SetupDiag: processing rule: DeviceInstallHang.
..No match.
SetupDiag: processing rule: BootFailureDetected.
.No match.
SetupDiag: processing rule: FindDebugInfoFromRollbackLog.
.No match.
SetupDiag: processing rule: AdvancedInstallerFailed.
..No match.
SetupDiag: processing rule: FindMigApplyUnitFailure.
..No match.
SetupDiag: processing rule: FindMigGatherUnitFailure.
..No match.
SetupDiag: processing rule: OptionalComponentInstallFailure.
..No match.
SetupDiag: processing rule: CriticalSafeOSDUFailure.
..No match.
SetupDiag: processing rule: UserProfileCreationFailureDuringOnlineApply.
..No match.
SetupDiag: processing rule: WimMountFailure.
..No match.
SetupDiag: processing rule: FindSuccessfulUpgrade.
..No match.
SetupDiag: processing rule: FindSetupHostReportedFailure.
..No match.
SetupDiag: processing rule: FindDownlevelFailure.
..No match.
SetupDiag: processing rule: FindAbruptDownlevelFailure.
....Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize, Error: 0xC1900208 - 0x4000C
Failure Data: Last Operation: Finalize, Error: 0xC1900208 - 0x4000C
Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information.
SetupDiag: processing rule: FindSetupPlatformFailedOperationInfo.
..No match.
SetupDiag: processing rule: FindRollbackFailure.
..No match.
SetupDiag found 2 matching issues.
Warning: Found Application Block for: "Microsoft Endpoint Protection".
This is a dismissible message when not running setup.exe in "/quiet" mode.
Consider specifying "/compat /ignore warning" to ignore these dismissible warnings.
You must manually uninstall "Microsoft Endpoint Protection" before continuing with the installation/update, or change the command line parameters to ignore warnings.
For more information about Setup command line switches, see here:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options
Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize, Error: 0xC1900208 - 0x4000C
Failure Data: Last Operation: Finalize, Error: 0xC1900208 - 0x4000C
Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information.
SetupDiag found 1 matching issue.
SetupDiag results were logged to: c:\setupdiag\results.log
Logs ZipFile created at: c:\setupdiag\Logs.zip
Logs ZipFile created at: c:\setupdiag\Logs_14.zip
```
@ -188,63 +264,86 @@ When searching log files, SetupDiag uses a set of rules to match known issues. T
Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS.
1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
- This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
- This is a block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled.
3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
- This block happens when the host OS is booted to a VHD image. Upgrade is not supported when the host OS is booted from a VHD image.
4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
- This indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade is not supported in the Windows To-Go environment.
5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
- This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade is not supported from this state.
6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
- This block indicates that the host OS is booted to Safe Mode, where upgrade is not supported.
7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
- This block is encountered when setup determines the system partition (where the boot loader files are stored) does not have enough space to be serviced with the newer boot files required during the upgrade process.
8. HardblockApplication - D6FBF046-5927-4FCD-B998-FE21CA7F6AC9
- This rule indicates the host OS had one or more hard blocked applications that need to be uninstalled prior to continuing. This typically is only a problem when /Quiet is specified on the command line.
9. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
8. CompatBlockedApplicationAutoUninstall BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5
- This rule indicates there is an application that needs to be uninstalled before setup can continue.
9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9
- When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat /ignore warning”. This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that have prevented setup from continuing.
10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4
- This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue.
11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
- This indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade.
10. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
- This rule indicates the host OS and the target OS language editions do not match.
11. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
- This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This will block the pre-release signed build from booting if installed on the machine.
12. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
- This failure indicates the system ran out of disk space during the down-level operations of upgrade.
13. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191
15. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191
- This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade.
14. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6
16. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6
- This failure rule indicates the system hung or bug checked during the device installation phase of upgrade.
15. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6
17. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6
- This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details.
16. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1
18. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1
- This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
17. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C
19. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C
- This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
18. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37
20. BootFailureDetected - 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7
- This rule indicates a boot failure occurred during a specific phase of the update. The rule will indicate the failure code and phase for diagnostic purposes.
21. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37
- This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine.
19. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
- Finds fatal advanced installer operations that cause setup failures.
20. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781
- Detects a migration unit failure that caused the update to fail. This rule will output the name of the migration plug-in as well as the error code it produced for diagnostic purposes.
24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29
- Detects a migration gather unit failure that caused the update to fail. This rule will output the name of the gather unit/plug-in as well as the error code it produced for diagnostic purposes.
25. OptionalComponentInstallFailure - D012E2A2-99D8-4A8C-BBB2-088B92083D78
- This rule detects an optional component installation failure that caused the update to fail. It will output the optional component name and error code its installation resulted in for diagnostic purposes.
26. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
- This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes.
27. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
- Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It will indicate the operation and error code associated with the failure for diagnostic purposes.
28. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
- This rule indicates the update failed to mount a wim file. It will show the name of the wim file as well as the error message and error code associated with the failure for diagnostic purposes.
29. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
- Determines if the given setup was a success or not based off the logs.
21. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
30. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
- Gives information about failures surfaced early in the upgrade process by setuphost.exe
22. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
31. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
- Gives failure information surfaced by SetupPlatform, later in the down-level phase.
23. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
32. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
- Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly.
24. FindSetupPlatformDownlevelFailure - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
- Gives last operation and phase failure information when Setup indicates a down-level failure.
25. FindSetupPlatformDownlevelFailedOperation - 087610ED-329A-4DE9-A54C-38A3A07B5B8B
- Gives last phase and error information when Setup indicates a down-level failure.
26. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
33. FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
- Gives last phase and error information when SetupPlatform indicates a critical failure. This rule will indicate the operation and error associated with the failure for diagnostic purposes.
34. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
- Gives last operation, failure phase and error information when a rollback occurs.
## Release notes
03/30/2018 - SetupDiag v1.00 released with 26 rules, as a standalone tool available from the Download Center.
05/02/2018 - SetupDiag v1.1 is released with 34 rules, as a standalone tool available from the Download Center.
- A performance enhancment has been added to result in faster rule processing.
- Rules output now includes links to support articles, if applicable.
- SetupDiag now provides the path and name of files that it is processing.
- You can now run SetupDiag by simply clicking on it and then examining the output log file.
- An output log file is now always created, whether or not a rule was matched.
03/30/2018 - SetupDiag v1.0 is released with 26 rules, as a standalone tool available from the Download Center.
## Related topics

14
windows/deployment/upgrade/upgrade-error-codes.md
View File

@ -37,7 +37,19 @@ Note: If only a result code is returned, this can be because a tool is being use
>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <br>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
Result codes can be matched to the type of error encountered. To match a result code to an error:
The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings:
| Result code | Message | Description |
| --- | --- | --- |
| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue |
| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app |
| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) |
| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 |
| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install |
A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procudures](resolution-procedures.md#modern-setup-errors) topic in this article.
Other result codes can be matched to the specific type of error encountered. To match a result code to an error:
1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
<br>**8** = Win32 error code (ex: 0x**8**0070070)

2
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -39,7 +39,7 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
If youre already using OMS, youll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solutions details page. Upgrade Readiness is now visible in your workspace.
If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Readiness solution to it.
If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Readiness solution to it.
Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.

5
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -46,11 +46,6 @@ X = unsupported <BR>
| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
<!-- | **S > Pro** | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![supported, no reboot](../images/check_blu.png) <br>(1709) |
| **S > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![supported, no reboot](../images/check_blu.png) <br>(1709) |
| **S > Pro Education** | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) <br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![not supported](../images/x_blk.png) |
| **S > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **S > Enterprise** | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) <br>(1709) | ![not supported](../images/x_blk.png) | -->
| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |

7
windows/deployment/windows-10-pro-in-s-mode.md
View File

@ -52,8 +52,8 @@ We recommend staying in S mode. However, in some limited scenarios, you might ne
If youre running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time.
1. Sign into the Microsoft Store using your Microsoft account.
2. Search for "Switch to Windows 10 Pro."
3. In the offer, click **Buy** or **Get**.
2. Search for "S mode"
3. In the offer, click **Buy**, **Get**, OR **Learn more.**
You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
> [!IMPORTANT]
@ -61,6 +61,7 @@ You'll be prompted to save your files before the switch starts. Follow the promp
## Related topics
[FAQs](https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq)<br>
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<BR>
[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)<BR>
[Introdiction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/en-us/intune/what-is-intune)
[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/en-us/intune/what-is-intune)

10
windows/security/information-protection/TOC.md
View File

@ -3,6 +3,15 @@
## [BitLocker](bitlocker\bitlocker-overview.md)
### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md)
#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md)
#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md)
#### [Key management](bitlocker\bitlocker-key-management-faq.md)
#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md)
#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md)
#### [Security](bitlocker\bitlocker-security-faq.md)
#### [BitLocker Network Unlock](bitlocker\bitlocker-network-unlock-faq.md)
#### [General](bitlocker\bitlocker-using-with-other-programs-faq.md)
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
@ -42,4 +51,5 @@
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)

58
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md Normal file
View File

@ -0,0 +1,58 @@
---
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker and Active Directory Domain Services (AD DS) FAQ
**Applies to**
- Windows 10
## What type of information is stored in AD DS?
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde.
## What if BitLocker is enabled on a computer before the computer has joined the domain?
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
> [!IMPORTANT]  
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
 
## Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
## If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
## What happens if the backup initially fails? Will BitLocker retry the backup?
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.

94
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md Normal file
View File

@ -0,0 +1,94 @@
---
title: BitLocker frequently asked questions (FAQ) (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker Deployment and Administration FAQ
**Applies to**
- Windows 10
## Can BitLocker deployment be automated in an enterprise environment?
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
## Can BitLocker encrypt more than just the operating system drive?
Yes.
## Is there a noticeable performance impact when BitLocker is enabled on a computer?
Generally it imposes a single-digit percentage performance overhead.
## How long will initial encryption take when BitLocker is turned on?
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
## What happens if the computer is turned off during encryption or decryption?
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
## How can I prevent users on a network from storing data on an unencrypted drive?
You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
## What is Used Disk Space Only encryption?
BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to beencrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
## What system changes would cause the integrity check on my operating system drive to fail?
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer.
- Installing a new motherboard with a new TPM.
- Turning off, disabling, or clearing the TPM.
- Changing any boot configuration settings.
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
## What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
## What can prevent BitLocker from binding to PCR 7?
This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
## Why is "Turn BitLocker on" not available when I right-click a drive?
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
## What type of disk configurations are supported by BitLocker?
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.

11
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -31,14 +31,9 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
The sections that follow describe these improvements in more detail. Also see:
- Additional description of improvements in BitLocker: see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
- Introduction and requirements for BitLocker: see [BitLocker](bitlocker-overview.md).
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
## Prepare for drive and file encryption
@ -81,7 +76,7 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused.
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.

412
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 10/16/2017
ms.date: 05/03/2018
---
# BitLocker frequently asked questions (FAQ)
@ -16,403 +16,17 @@ ms.date: 10/16/2017
**Applies to**
- Windows 10
This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](#bkmk-overview)
- [Upgrading](#bkmk-upgrading)
- [Deployment and administration](#bkmk-deploy)
- [Key management](#bkmk-keymanagement)
- [BitLocker To Go](#bkmk-btgsect)
- [Active Directory Domain Services (AD DS)](#bkmk-adds)
- [Security](#bkmk-security)
- [BitLocker Network Unlock](#bkmk-bnusect)
- [Other questions](#bkmk-other)
## <a href="" id="bkmk-overview"></a>Overview and requirements
### <a href="" id="bkmk-whatisbitlocker"></a>How does BitLocker work?
**How BitLocker works with operating system drives**
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
**How BitLocker works with fixed and removable data drives**
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
### <a href="" id="bkmk-multifactorsupport"></a>Does BitLocker support multifactor authentication?
Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements).
> **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
 
### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
### <a href="" id="bkmk-tpmchipsupport"></a>Which Trusted Platform Modules (TPMs) does BitLocker support?
BitLocker supports TPM version 1.2 or higher.
### <a href="" id="bkmk-havetpm"></a>How can I tell if a TPM is on my computer?
Open the TPM MMC console (tpm.msc) and look under the **Status** heading.
### <a href="" id="bkmk-notpm"></a>Can I use BitLocker on an operating system drive without a TPM?
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
### <a href="" id="bkmk-biossupport"></a>How do I obtain BIOS support for the TPM on my computer?
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It is compliant with the TCG standards for a client computer.
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
### <a href="" id="bkmk-privs"></a>What credentials are required to use BitLocker?
To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
### <a href="" id="bkmk-bootorder"></a>What is the recommended boot order for computers that are going to be BitLocker-protected?
You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 
## <a href="" id="bkmk-upgrading"></a>Upgrading
### <a href="" id="bkmk-upgradev27"></a>Can I upgrade to Windows 10 with BitLocker enabled?
Yes.
### <a href="" id="bkmk-disabledecrypt"></a>What is the difference between suspending and decrypting BitLocker?
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Computer manufacturer firmware updates
- TPM firmware updates
- Non-Microsoft application updates that modify boot components
> **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
 
## <a href="" id="bkmk-deploy"></a>Deployment and administration
### <a href="" id="bkmk-automate"></a>Can BitLocker deployment be automated in an enterprise environment?
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx).
### <a href="" id="bkmk-os"></a>Can BitLocker encrypt more than just the operating system drive?
Yes.
### <a href="" id="bkmk-performance"></a>Is there a noticeable performance impact when BitLocker is enabled on a computer?
Generally it imposes a single-digit percentage performance overhead.
### <a href="" id="bkmk-longencrypt"></a>How long will initial encryption take when BitLocker is turned on?
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
### <a href="" id="bkmk-turnoff"></a>What happens if the computer is turned off during encryption or decryption?
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
### <a href="" id="bkmk-entiredisk"></a>Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
### <a href="" id="bkmk-dataunencryptpart"></a>How can I prevent users on a network from storing data on an unencrypted drive?
You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
### <a href="" id="bkmk-integrityfail"></a>What system changes would cause the integrity check on my operating system drive to fail?
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer.
- Installing a new motherboard with a new TPM.
- Turning off, disabling, or clearing the TPM.
- Changing any boot configuration settings.
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
### <a href="" id="bkmk-examplesosrec"></a>What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
### <a href="" id="bkmk-driveswap"></a>Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
### <a href="" id="bkmk-altpc"></a>Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
### <a href="" id="bkmk-noturnon"></a>Why is "Turn BitLocker on" not available when I right-click a drive?
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
### <a href="" id="bkmk-r2disks"></a>What type of disk configurations are supported by BitLocker?
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
## <a href="" id="bkmk-keymanagement"></a>Key management
### <a href="" id="bkmk-key"></a>What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
### <a href="" id="bkmk-enableauthwodecrypt"></a>Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *&lt;4-20 digit numeric PIN&gt;* with the numeric PIN you want to use:
`manage-bde protectors delete %systemdrive% -type tpm`
`manage-bde protectors add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
### <a href="" id="bkmk-add-auth"></a> When should an additional method of authentication be considered?
New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
>**Important:**  Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
 
### <a href="" id="bkmk-usbdrive"></a>Can the USB flash drive that is used as the startup key also be used to store the recovery key?
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
### <a href="" id="bkmk-startupkey"></a>Can I save the startup key on multiple USB flash drives?
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
### <a href="" id="bkmk-multikeyoneusb"></a>Can I save multiple (different) startup keys on the same USB flash drive?
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
### <a href="" id="bkmk-multikey"></a>Can I generate multiple (different) startup keys for the same computer?
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
### <a href="" id="bkmk-multipin"></a>Can I generate multiple PIN combinations?
You cannot generate multiple PIN combinations.
### <a href="" id="bkmk-encryptkeys"></a>What encryption keys are used in BitLocker? How do they work together?
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
### <a href="" id="bkmk-keystorage"></a>Where are the encryption keys stored?
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
### <a href="" id="bkmk-funckey"></a>Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
### <a href="" id="bkmk-youbrute"></a>How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
### <a href="" id="bkmk-tpmprov"></a>How can I determine the manufacturer of my TPM?
You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading.
### <a href="" id="bkmk-tpmdam"></a>How can I evaluate a TPM's dictionary attack mitigation mechanism?
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
### <a href="" id="bkmk-pinlength"></a>Can PIN length and complexity be managed with Group Policy?
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
## <a href="" id="bkmk-btgsect"></a>BitLocker To Go
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
## <a href="" id="bkmk-adds"></a>Active Directory Domain Services (AD DS)
### What if BitLocker is enabled on a computer before the computer has joined the domain?
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
>**Important:**  Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
 
### <a href="" id="bkmk-addseventlog"></a>Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
### <a href="" id="bkmk-refresh"></a>If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
### <a href="" id="bkmk-adbackupfails"></a>What happens if the backup initially fails? Will BitLocker retry the backup?
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
## <a href="" id="bkmk-security"></a>Security
### <a href="" id="bkmk-form"></a>What form of encryption does BitLocker use? Is it configurable?
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
### <a href="" id="bkmk-config"></a>What is the best practice for using BitLocker on an operating system drive?
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
### <a href="" id="bkmk-sleep"></a>What are the implications of using the sleep or hibernate power management options?
BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
### <a href="" id="bkmk-root"></a>What are the advantages of a TPM?
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
>**Note:**  Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
 
## <a href="" id="bkmk-bnusect"></a>BitLocker Network Unlock
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can not be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
## <a href="" id="bkmk-other"></a>Other questions
### <a href="" id="bkmk-kernel"></a>Can I run a kernel debugger with BitLocker?
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
### <a href="" id="bkmk-errorreports"></a>How does BitLocker handle memory dumps?
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
### <a href="" id="bkmk-smart"></a>Can BitLocker support smart cards for pre-boot authentication?
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
### <a href="" id="bkmk-driver"></a>Can I use a non-Microsoft TPM driver?
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
### <a href="" id="bkmk-mbr"></a>Can other tools that manage or modify the master boot record work with BitLocker?
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
### <a href="" id="bkmk-syschkfail"></a>Why is the system check failing when I am encrypting my operating system drive?
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
- There are multiple USB flash drives inserted into the computer.
- The PIN was not entered correctly.
- The computer's BIOS or UEFI firmware only supports using the function keys (F1F10) to enter numerals in the pre-boot environment.
- The startup key was removed before the computer finished rebooting.
- The TPM has malfunctioned and fails to unseal the keys.
### <a href="" id="bkmk-usbkeyfail"></a>What can I do if the recovery key on my USB flash drive cannot be read?
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
### <a href="" id="bkmk-usbkeynosave"></a>Why am I unable to save my recovery key to my USB flash drive?
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
### <a href="" id="bkmk-noautounlock"></a>Why am I unable to automatically unlock my drive?
Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
### <a href="" id="bkmk-blsafemode"></a>Can I use BitLocker in Safe Mode?
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
### <a href="" id="bkmk-lockdata"></a>How do I "lock" a data drive?
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the lock command.
>**Note:**  Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
 
The syntax of this command is:
`manage-bde <driveletter> -lock`
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
### <a href="" id="bkmk-shadowcopy"></a>Can I use BitLocker with the Volume Shadow Copy Service?
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
### <a href="" id="bkmk-vhd"></a>Does BitLocker support virtual hard disks (VHDs)?
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
### <a href="" id="bkmk-VM"></a> Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.md)
- [Upgrading](bitlocker-upgrading-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.md)
- [Key management](bitlocker-key-management-faq.md)
- [BitLocker To Go](bitlocker-to-go-faq.md)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md)
- [Security](bitlocker-security-faq.md)
- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md)
- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md)
## More information
@ -424,4 +38,4 @@ Yes. Password protectors and virtual TPMs can be used with BitLocker to protect
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d)
- [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps)

118
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md Normal file
View File

@ -0,0 +1,118 @@
---
title: BitLocker Key Management FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker Key Management FAQ
**Applies to**
- Windows 10
## How can I authenticate or unlock my removable data drive?
You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
<code>Manage-bde -protectors -add e: -sid <i>domain\username</i></code>
## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
## How can the recovery password and recovery key be stored?
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
<code>manage-bde protectors delete %systemdrive% -type tpm</code>
<code>manage-bde protectors add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
## When should an additional method of authentication be considered?
New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
## If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]  
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
 
## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
## Can I save the startup key on multiple USB flash drives?
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
## Can I save multiple (different) startup keys on the same USB flash drive?
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
## Can I generate multiple (different) startup keys for the same computer?
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
## Can I generate multiple PIN combinations?
You cannot generate multiple PIN combinations.
## What encryption keys are used in BitLocker? How do they work together?
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
## Where are the encryption keys stored?
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
## Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
## How can I determine the manufacturer of my TPM?
You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
## How can I evaluate a TPM's dictionary attack mitigation mechanism?
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
## Can PIN length and complexity be managed with Group Policy?
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

30
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md Normal file
View File

@ -0,0 +1,30 @@
---
title: BitLocker frequently asked questions (FAQ) (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker Network Unlock FAQ
**Applies to**
- Windows 10
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).

70
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md Normal file
View File

@ -0,0 +1,70 @@
---
title: BitLocker overview and requirements FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker Overview and Requirements FAQ
**Applies to**
- Windows 10
## How does BitLocker work?
**How BitLocker works with operating system drives**
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
**How BitLocker works with fixed and removable data drives**
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
## Does BitLocker support multifactor authentication?
Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
## What are the BitLocker hardware and software requirements?
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
> [!NOTE]  
> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
 
## Why are two partitions required? Why does the system drive have to be so large?
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
## Which Trusted Platform Modules (TPMs) does BitLocker support?
BitLocker supports TPM version 1.2 or higher.
## How can I tell if a TPM is on my computer?
Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading.
## Can I use BitLocker on an operating system drive without a TPM?
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
## How do I obtain BIOS support for the TPM on my computer?
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It is compliant with the TCG standards for a client computer.
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
## What credentials are required to use BitLocker?
To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
## What is the recommended boot order for computers that are going to be BitLocker-protected?
You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 

38
windows/security/information-protection/bitlocker/bitlocker-security-faq.md Normal file
View File

@ -0,0 +1,38 @@
---
title: BitLocker Security FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker Security FAQ
**Applies to**
- Windows 10
## What form of encryption does BitLocker use? Is it configurable?
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
## What is the best practice for using BitLocker on an operating system drive?
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
## What are the implications of using the sleep or hibernate power management options?
BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
## What are the advantages of a TPM?
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
> [!NOTE]  
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
 

22
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md Normal file
View File

@ -0,0 +1,22 @@
---
title: BitLocker To Go FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker To Go FAQ
**Applies to**
- Windows 10
## What is BitLocker To Go?
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.

40
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md Normal file
View File

@ -0,0 +1,40 @@
---
title: BitLocker Upgrading FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# BitLocker Upgrading FAQ
**Applies to**
- Windows 10
## Can I upgrade to Windows 10 with BitLocker enabled?
Yes.
## What is the difference between suspending and decrypting BitLocker?
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
## Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Computer manufacturer firmware updates
- TPM firmware updates
- Non-Microsoft application updates that modify boot components
> [!NOTE]  
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
 

95
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md Normal file
View File

@ -0,0 +1,95 @@
---
title: Using BitLocker with other programs FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
---
# Using BitLocker with other programs FAQ
**Applies to**
- Windows 10
## Can I use EFS with BitLocker?
Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
## Can I run a kernel debugger with BitLocker?
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
## How does BitLocker handle memory dumps?
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
## Can BitLocker support smart cards for pre-boot authentication?
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
## Can I use a non-Microsoft TPM driver?
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
## Can other tools that manage or modify the master boot record work with BitLocker?
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
## Why is the system check failing when I am encrypting my operating system drive?
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
- There are multiple USB flash drives inserted into the computer.
- The PIN was not entered correctly.
- The computer's BIOS or UEFI firmware only supports using the function keys (F1F10) to enter numerals in the pre-boot environment.
- The startup key was removed before the computer finished rebooting.
- The TPM has malfunctioned and fails to unseal the keys.
## What can I do if the recovery key on my USB flash drive cannot be read?
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
## Why am I unable to save my recovery key to my USB flash drive?
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
## Why am I unable to automatically unlock my drive?
Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
## Can I use BitLocker in Safe Mode?
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
## How do I "lock" a data drive?
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the lock command.
> [!NOTE]  
> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
 
The syntax of this command is:
<code>manage-bde <i>driveletter</i> -lock</code>
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
## Can I use BitLocker with the Volume Shadow Copy Service?
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
## Does BitLocker support virtual hard disks (VHDs)?
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
## Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.

1
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -256,6 +256,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.

BIN
windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 215 KiB

BIN
windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 510 KiB

BIN
windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 406 KiB

BIN
windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 127 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 256 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 250 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 09/11/2017
---
@ -120,7 +120,7 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required.
### WIP-protection modes
### <a href="" id="bkmk-modes"></a>WIP-protection modes
Enterprise data is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.

101
windows/security/information-protection/windows-information-protection/wip-learning.md Normal file
View File

@ -0,0 +1,101 @@
---
title:
# Fine-tune Windows Information Policy (WIP) with WIP Learning
description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
ms.pagetype: security
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 04/18/2018
---
# Fine-tune Windows Information Protection (WIP) with WIP Learning
**Applies to:**
- Windows 10, version 1703 and later
- Windows 10 Mobile, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
## Access the WIP Learning reports
1. Open the [Azure portal](http://https://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
2. Choose **Intune** > **Mobile Apps**.
3. Choose **App protection status**.
4. Choose **Reports**.
![Image showing the UI path to the WIP report](images/access-wip-learning-report.png)
5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**.
![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png)
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
## View the WIP app learning report in Microsoft Operations Management Suite
From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
![View in Intune of the link to OMS](images/wip-in-oms-console-link.png)
If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
>[!NOTE]
>Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
Once you have WIP policies in place, by using the WIP section of Device Health, you can:
- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png)
The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
![Details view](images/WIPNEW1-chart-selected-sterile.png)
In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
![Details view for a specific app](images/WIPappID-sterile.png)
Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
## Use OMS and Intune to adjust WIP protection policy
1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
4. Click **Protected apps**, and then click **Add Apps**.
5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

5
windows/security/threat-protection/TOC.md
View File

@ -95,6 +95,9 @@
##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
###API and SIEM support
#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
@ -191,7 +194,7 @@
##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
##### [Protect data with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
####Permissions
##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)

8
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -21,7 +21,9 @@ Describes the best practices, location, values, and security considerations for
The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change.
In Active Directorybased domains, each device has an account and password, just like every user. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
In Active Directorybased domains, each device has an account and password. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/).
### Possible values
@ -30,8 +32,8 @@ In Active Directorybased domains, each device has an account and password, ju
### Best practices
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
2. If the machine's password has expired, it will no longer be able to authenticate with the domain. The easiest way to get authentication working again might require removing the device from the domain and then re-joining it. For this reason, some organizations create a special organizational unit (OU) for computers that are prebuilt and then stored for later use or shipped to remote locations, and change the value to more than 30 days.
It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
### Location

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -28,6 +28,7 @@
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)

2
windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Audit Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Create a Windows Defender Application Control policy from a reference computer

2
windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Disable Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Enforce Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Manage packaged apps with Windows Defender Application Control

2
windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Merge Windows Defender Application Control policies

2
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Microsoft recommended block rules

2
windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Use code signing to simplify application control for classic Windows applications

2
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Use signed policies to protect Windows Defender Application Control against tampering

2
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules

2
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Planning and getting started on the Windows Defender Application Control deployment process

2
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jsuther1974
ms.date: 02/27/2018
ms.date: 05/03/2018
---
# Windows Defender Application Control

22
windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Windows Defender Device Guard and AppLocker (Windows 10)
description: Explains how
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 05/03/2018
---
# Windows Defender Device Guard with AppLocker
Although [AppLocker](applocker/applocker-overview.md) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when Windows Defender Application Control (WDAC) cannot be fully implemented or its functionality does not cover every desired scenario.
There are many scenarios in which WDAC would be used alongside AppLocker rules.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
> [!NOTE]
> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible.
In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.

2
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -44,4 +44,4 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>**Note**<br>This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|

13
windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -13,7 +13,8 @@ ms.date: 11/07/2017
# Frequently asked questions - Windows Defender Application Guard
**Applies to:**
- Windows 10 Enterpise edition, version 1709
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
@ -31,7 +32,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC.<br><br>In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
<br>
| | |
@ -55,5 +56,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to WDAG in RS3 (1709) and RS4 (1803).|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.|
<br>
| | |
|---|----------------------------|
|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering??|
|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature.|
<br>

42
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -12,11 +12,12 @@ ms.date: 10/19/2017
# Testing scenarios using Windows Defender Application Guard in your business or organization
**Applies to:**
- Windows 10 Enterpise edition, version 1709
We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
**Applies to:**
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
@ -97,6 +98,10 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
**To change the copy and paste options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
@ -152,3 +157,34 @@ You have the option to change each of these settings to work with your enterpris
>[!NOTE]
>If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and arent shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>
**Applies to:**
- Windows 10 Enterpise edition, version 1803
- Windows 10 Professional edition, version 1803
**To change the download options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor Download options](images/appguard-gp-download.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
**To change the download options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
3. Contact Microsoft for further information to fully enable this setting.
4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
5. Assess the visual experience and battery performance.

10
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/03/2018
---
# Use Automated investigations to investigate and remediate threats
@ -36,8 +36,10 @@ The Automated investigations list shows all the investigations that have been in
## Understand the Automated investigation flow
### How the Automated investigation starts
Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a *supported operating system for Automated investigation then an Automated investigation can start.
*Currently only Windows 10 version 1803 (spring creators update) and above are supported operating systems for Autoamted Investigation
Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.
>[!NOTE]
>Currently, Automated investigation only supports Windows 10, version 1803 or later.
The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
@ -63,7 +65,7 @@ While an investigation is running, any other alert generated from the machine wi
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
### How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automaticlly remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automatically remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed.

17
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
ms.date: 05/03/2018
---
@ -85,10 +85,19 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
Service location | .Microsoft.com DNS record
>![NOTE]
> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
:---|:---
US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` ```events.data.microsoft.com```
US | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
Europe | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
UK | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
AU | ```au.vortex-win.data.microsoft.com```<br>```au-v20.events.data.microsoft.com```<br>```winatp-gw-aue.microsoft.com```<br>```winatp-gw-aus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.

5
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/03/2018
---
# Onboard servers to the Windows Defender ATP service
@ -82,8 +82,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
## Onboard Windows Server 2012 R2 and Windows Server 2016
## Onboard Windows Server, version 1803
Youll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).

2
windows/whats-new/whats-new-windows-10-version-1803.md
View File

@ -95,7 +95,7 @@ Prerequisites:
- Windows 10, version 1803 or later.
- Windows 10 Enterprise or Pro
For more information, see [Run custom actions during feature update](https://review.docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.